Giving Privileges to Users
We have a team of Oracle administrators that require some root privileges in order to execute their "root.sh" script. The program is interactive. This program is necessary to run for interactive (GUI) installation of Oracle. There are much better and more reliable ways to install Oracle, such as using silent installation. With that said, let me demonstrate how you can give a user permission to run an interactive privileged program.
You will use an existing utility called sudo. This program will allow the system administrator to configure user accounts with privileged permission to execute programs as the root user, or programs as some other user. If the user will be executing the privileged program interactively, then you're all done. See my page on using Sudo.
If the privileged program is interactive, and if the user wishes to run the program in batch (i.e. from a script in cron), then you must write a program to deal with the interactive prompting and respond accordingly with pre-programmed responses to particular prompts. The programming tool called expect will solve this problem. The expect program is derived from the Tcl/Tk toolkit, an embeddable tools language. Using expect, you program a series of patterns to match, with commands to execute based on the pattern. Here is an example:
Here is the privileged program. It resides in /usr/local/bin/priv_program:
#! /bin/bash
read -p "Enter data1: " input
echo "input1: $input" >> /var/log/priv_program_log
sleep 2
read -p "Enter data2: " input
echo "input2: $input" >> /var/log/priv_program_log
exit 0
NOTE: Yes, I know this program isn't hardened. This is just for demonstration purposes.
The above program is owned by root:
-rwxr-xr-x 1 root staff 191 Aug 9 20:33 /usr/local/bin/priv_program
The above program will append the input from the user to the /var/log/priv_program_log file.
The permissions of /var/log/priv_program_log are:
-rw-r--r-- 1 root root 294 Aug 9 20:37 /var/log/priv_program_log
Anyone can execute the /usr/local/bin/priv_program, but only root user will be allowed to write to /var/log/priv_program_log.
Here is the expect script to non-interactively run the /usr/local/bin/priv_program:
(NOTE: I called this program doit )
#! /bin/bash
# vi:set nu ai ap smd showmatch tabstop=4 shiftwidth=4: \
exec /usr/bin/expect $0 "$@"
# logging level
# set to 0 for quiet mode.
log_user 1
# start the privleged program
spawn sudo /usr/local/bin/priv_program # here's where you'll change the pathname to your root.sh script.
# get the reponse from the priv_program
expect {
data1: {
# we got a prompt with "... data1:" in it
# we will just return the current value of seconds
set data [ exec date {+%s}]
send "$data\r";
exp_continue;
}
data2: {
# we got a prompt with "... data2:" in it
# we will just return the current value of seconds
set data [ exec date {+%s}]
send "$data\r";
exp_continue;
}
eof {
# detected end-of-program
puts ">INFO: end of program detected\r";
exit 0;
}
timeout {
# bigger problems; we had a timeout;
# ...none of the patterns matched.
puts ">ERROR: timeout for priv_program\r";
exit 1;
}
}
# all done
exit 0
Here is the entry in /etc/sudoers file that will allow user sandholm the privilege of running /usr/local/bin/priv_program as user root:
sandholm ALL = (root) NOPASSWD: /usr/local/bin/priv_program
NOTE: you may need to disable requiretty if you wish to run your script via cron (without a tty). I know that redhat enables requiretty in their sudoers file.
This should give you enough tools to tackle the Oracle root.sh program. It's up to you to document all the prompts and required input that the root.sh program will expect. Just tailor your expect script to respond accordingly.