From 04:00 PM CDT – 08:00 PM CDT (09:00 PM UTC – 01:00 AM UTC) Tuesday, April 16, ni.com will undergo system upgrades that may result in temporary service interruption.

We appreciate your patience as we improve our online experience.

Home Community User Groups Special Interest Groups NI Linux Real-Time NI Linux Real-Time Discussions Topic

NI Linux Real-Time Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Linux permissions

Linux permissions

‎11-15-2017 03:09 PM

I need to execute a script (vpnup) from the command line within LabVIEW on a sbRIO, however the lvuser does not have permissions to run the commands in this script. I thought that setting the SUID and SGID on the file would let lvuser run this as the file's owner (admin), however that does not work. Suggestions appreciated.

admin@NI-sbRIO-9607-01caa447:/home/lvuser# ls -l
total 16
lrwxrwxrwx    1 admin    ni              22 Nov  6 18:34 README_File_Paths.txt -> /README_File_Paths.txt
drwxrwxr-x    4 lvuser   ni             296 Nov  6 18:37 natinst
-rw-rw-r--    1 webserv  ni            3714 Nov 15 18:29 openvpn.conf
-rw-r--r--    1 lvuser   ni            2367 Nov 15 19:18 testscript
-rw-rw-r--    1 webserv  ni              12 Nov  9 22:07 vpn.txt
-rwsrwsrwx    1 admin    ni             106 Nov 15 18:49 vpnup

 

Here's the vpnup script:

#!/bin/bash -x
echo "opening VPN connection home."
/usr/sbin/openvpn --config /home/lvuser/openvpn.conf

 

The big picture is that I have remote sbRIOs communicating through AWS IoT using MQTT. I want to send a command to a particular unit to "phone home" and have it start an openvpn connection back to the office. Once it's on the local network I can connect via the LabVIEW project for debugging/upgrading/etc... Bringing a VPN connection up and down works fine from the command line when logged in as admin, but fails when I su as lvuser.

This post referenced installing sudo as a high risk workaround. Is that the only option, or is there another way?

 

Thanks,

 

Richard

0 Kudos
Message 1 of 2
(2,448 Views)
Reply

Re: Linux permissions

‎11-15-2017 10:46 PM

SUID bits for scripts are ignored (see: https://unix.stackexchange.com/questions/74527/setuid-bit-seems-to-have-no-effect-on-bash).

 

You can either:

  1. write a small shim binary that turns around and calls the script (setting the SUID bit on the binary) or
  2. install and properly limit sudo's permissions/accesibility.

As I noted here, you can limit the commands that a user can run under sudo (and even limit who they can run those commands as), limiting to just the script that you are interested in and only the users (admin) to run the script as.

 

Either way, you're given some reasonable tools to limit the powers bestowed to lvuser (just make sure to check permissions on that file! don't want some yahoo overwriting your script to make it do bad things Smiley Wink )

0 Kudos
Message 2 of 2
(2,423 Views)
Reply