How do I delete a file owned by root from within bash script?

Question

I want to delete a file (/var/lib/pacman/db.lck) owned by root user from within a simple script owned by a non-privileged user:

#!/bin/bash
rm -f /var/lib/pacman/db.lck

But I don't want to run the script using sudo in order to avoid typing password each time I execute the script as a non-privileged user. In order to achieve this I set the s bit:

-rwsrwsrwx  1 popov  users       41 04.02.2015 10:35 unlock.sh

But after running the script I get

rm: cannot remove ‘/var/lib/pacman/db.lck’: Permission denied

It seems that I wrongly understand the purpose of s bit.

So the question is: How to setup the script permissions (and/or perhaps ownership of the script) which will let the script to delete a root-owned file when invoked by a non-privileged user?

possible duplicate of [SUID not working with shell script](http://stackoverflow.com/questions/18698976/suid-not-working-with-shell-script) — zoska, Feb 04 '15 at 10:37

telemaco · Answer 1 · 2015-02-04T10:51:50.407

5

If the problem is that sudo asks the password, you could configure sudo with "NOPASSWD" option with this command. Something like that:

joe ALL=(ALL) NOPASSWD: /full/path/to/command

edited Feb 04 '15 at 10:51

answered Feb 04 '15 at 10:41

telemaco

3,103
2
16
8

1

This is a better answer than the accepted answer, because this answers the real question, and the other one is insecure. – Feb 04 '15 at 10:58

score 1 · Accepted Answer · answered Feb 04 '15 at 10:54

1

Another alternative is replacing the shell script with a little C program:

#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>

#define FILENAME "/var/tmp/dummy"

int main() {
    if(unlink(FILENAME) == -1) {
        printf("unlink() of %s failed: %s\n", FILENAME, strerror(errno));
        return 1;
    }
    return 0;
}

Change the FILENAME
Save it as unlink_it.c.
Compile using gcc -Wall -o unlink_it unlink_it.c
Copy it to a suitable place (perhaps /usr/local/bin).
Change the owner to root
Add the SUID bit to the program
Call the special purpose program from your unprivileged shell script.

Beware: Any user on the system can launch the program and thus delete the file unless you limit its use using the UNIX permissions!

answered Feb 04 '15 at 10:54

neuhaus

3,886
1
10
27

A nice step-by-step tutorial. Thanks! – Igor Popov Feb 04 '15 at 10:57
This is a really insecure solution. – telemaco Feb 04 '15 at 11:32
It depends on what you want to achieve. It makes sure that only this particular file will be deleted. As I mentioned, you need to limit the users that are allowed to run this program using UNIX permissions. – neuhaus Feb 04 '15 at 11:33

score 0 · Answer 3 · answered Feb 04 '15 at 10:37

First of all, the script needs to be owned by the user that is given to the script while executing (in your case, root). However, SUID shell scripts are a bad idea (see comment).

The proper solution is not to run the script as SUID, instead you should give the user write permission to the directory that the file resides in. Then the script can unlink (delete) the file even if it belongs to another user and it has no permission to write to it.

A concrete example: You have a user "popov" that is member of the group "popov" and a directory /var/lib/pacman

chgrp popov /var/lib/pacman
chmod g+w /var/lib/pacman

Thanks for the answer! I would rather not change group of a sensitive system folder which uses important system utility pacman (package manager). It may produce more problems (and eventual security holes) than benefits. — Igor Popov, Feb 04 '15 at 10:47

How do I delete a file owned by root from within bash script?

3 Answers3