11-15-2017 03:09 PM
I need to execute a script (vpnup) from the command line within LabVIEW on a sbRIO, however the lvuser does not have permissions to run the commands in this script. I thought that setting the SUID and SGID on the file would let lvuser run this as the file's owner (admin), however that does not work. Suggestions appreciated.
admin@NI-sbRIO-9607-01caa447:/home/lvuser# ls -l
total 16
lrwxrwxrwx 1 admin ni 22 Nov 6 18:34 README_File_Paths.txt -> /README_File_Paths.txt
drwxrwxr-x 4 lvuser ni 296 Nov 6 18:37 natinst
-rw-rw-r-- 1 webserv ni 3714 Nov 15 18:29 openvpn.conf
-rw-r--r-- 1 lvuser ni 2367 Nov 15 19:18 testscript
-rw-rw-r-- 1 webserv ni 12 Nov 9 22:07 vpn.txt
-rwsrwsrwx 1 admin ni 106 Nov 15 18:49 vpnup
Here's the vpnup script:
#!/bin/bash -x
echo "opening VPN connection home."
/usr/sbin/openvpn --config /home/lvuser/openvpn.conf
The big picture is that I have remote sbRIOs communicating through AWS IoT using MQTT. I want to send a command to a particular unit to "phone home" and have it start an openvpn connection back to the office. Once it's on the local network I can connect via the LabVIEW project for debugging/upgrading/etc... Bringing a VPN connection up and down works fine from the command line when logged in as admin, but fails when I su as lvuser.
This post referenced installing sudo as a high risk workaround. Is that the only option, or is there another way?
Thanks,
Richard
11-15-2017 10:46 PM
SUID bits for scripts are ignored (see: https://unix.stackexchange.com/questions/74527/setuid-bit-seems-to-have-no-effect-on-bash).
You can either:
As I noted here, you can limit the commands that a user can run under sudo (and even limit who they can run those commands as), limiting to just the script that you are interested in and only the users (admin) to run the script as.
Either way, you're given some reasonable tools to limit the powers bestowed to lvuser (just make sure to check permissions on that file! don't want some yahoo overwriting your script to make it do bad things )