Execute a script as root when non root user logs in











up vote
0
down vote

favorite












I've seen this question asked before here and here but they're pretty old and I haven't been able to get any solution to work.



Basically I need to run a script or command automatically as root each time a non root user SSH's into the server. Server is running Ubuntu 16.04 and using OpenSSH if that makes a difference.



EDIT:
To be more specific, I want to kill a process that was created by user A when user B logs in. My roommates and I mine crypto on my headless gaming server and I'd like to be able to run pkill miner.sh automatically when someone logs in, regardless of who started it. Since it would be insanely insecure to let users kill each others' processes, it seems that this is more difficult than expected.






linux ubuntu ssh sudo root







share|improve this question
























  • pam_exec mentioned in the second question is also what I'd try. Needs a bit of reading up on PAM.
    – dirkt
    Aug 18 at 15:54










  • @dirkt Yea I saw that but I got permission errors when I tried it. I'll look more into it I really don't know PAM so that could be the issue
    – jamzsabb
    Aug 18 at 17:06










  • You may get a better answer if you explain what you actually want done at login (there may be a better way than executing a script as root).
    – Omnipresence
    Aug 20 at 14:48















up vote
0
down vote

favorite












I've seen this question asked before here and here but they're pretty old and I haven't been able to get any solution to work.



Basically I need to run a script or command automatically as root each time a non root user SSH's into the server. Server is running Ubuntu 16.04 and using OpenSSH if that makes a difference.



EDIT:
To be more specific, I want to kill a process that was created by user A when user B logs in. My roommates and I mine crypto on my headless gaming server and I'd like to be able to run pkill miner.sh automatically when someone logs in, regardless of who started it. Since it would be insanely insecure to let users kill each others' processes, it seems that this is more difficult than expected.






linux ubuntu ssh sudo root







share|improve this question
























  • pam_exec mentioned in the second question is also what I'd try. Needs a bit of reading up on PAM.
    – dirkt
    Aug 18 at 15:54










  • @dirkt Yea I saw that but I got permission errors when I tried it. I'll look more into it I really don't know PAM so that could be the issue
    – jamzsabb
    Aug 18 at 17:06










  • You may get a better answer if you explain what you actually want done at login (there may be a better way than executing a script as root).
    – Omnipresence
    Aug 20 at 14:48













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I've seen this question asked before here and here but they're pretty old and I haven't been able to get any solution to work.



Basically I need to run a script or command automatically as root each time a non root user SSH's into the server. Server is running Ubuntu 16.04 and using OpenSSH if that makes a difference.



EDIT:
To be more specific, I want to kill a process that was created by user A when user B logs in. My roommates and I mine crypto on my headless gaming server and I'd like to be able to run pkill miner.sh automatically when someone logs in, regardless of who started it. Since it would be insanely insecure to let users kill each others' processes, it seems that this is more difficult than expected.






linux ubuntu ssh sudo root







share|improve this question















I've seen this question asked before here and here but they're pretty old and I haven't been able to get any solution to work.



Basically I need to run a script or command automatically as root each time a non root user SSH's into the server. Server is running Ubuntu 16.04 and using OpenSSH if that makes a difference.



EDIT:
To be more specific, I want to kill a process that was created by user A when user B logs in. My roommates and I mine crypto on my headless gaming server and I'd like to be able to run pkill miner.sh automatically when someone logs in, regardless of who started it. Since it would be insanely insecure to let users kill each others' processes, it seems that this is more difficult than expected.






linux ubuntu ssh sudo root




linux ubuntu ssh sudo root






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 28 at 1:21

























asked Aug 18 at 15:13









jamzsabb

1114




1114












  • pam_exec mentioned in the second question is also what I'd try. Needs a bit of reading up on PAM.
    – dirkt
    Aug 18 at 15:54










  • @dirkt Yea I saw that but I got permission errors when I tried it. I'll look more into it I really don't know PAM so that could be the issue
    – jamzsabb
    Aug 18 at 17:06










  • You may get a better answer if you explain what you actually want done at login (there may be a better way than executing a script as root).
    – Omnipresence
    Aug 20 at 14:48


















  • pam_exec mentioned in the second question is also what I'd try. Needs a bit of reading up on PAM.
    – dirkt
    Aug 18 at 15:54










  • @dirkt Yea I saw that but I got permission errors when I tried it. I'll look more into it I really don't know PAM so that could be the issue
    – jamzsabb
    Aug 18 at 17:06










  • You may get a better answer if you explain what you actually want done at login (there may be a better way than executing a script as root).
    – Omnipresence
    Aug 20 at 14:48
















pam_exec mentioned in the second question is also what I'd try. Needs a bit of reading up on PAM.
– dirkt
Aug 18 at 15:54




pam_exec mentioned in the second question is also what I'd try. Needs a bit of reading up on PAM.
– dirkt
Aug 18 at 15:54












@dirkt Yea I saw that but I got permission errors when I tried it. I'll look more into it I really don't know PAM so that could be the issue
– jamzsabb
Aug 18 at 17:06




@dirkt Yea I saw that but I got permission errors when I tried it. I'll look more into it I really don't know PAM so that could be the issue
– jamzsabb
Aug 18 at 17:06












You may get a better answer if you explain what you actually want done at login (there may be a better way than executing a script as root).
– Omnipresence
Aug 20 at 14:48




You may get a better answer if you explain what you actually want done at login (there may be a better way than executing a script as root).
– Omnipresence
Aug 20 at 14:48










2 Answers
2






active

oldest

votes

















up vote
1
down vote













pam_exec has you pointed in the right direction, but setuid is bad advice; most (all?) modern Linuxes ignore it on shell scripts and only respect it on binary executable files.



Would it be a problem if the script was executed (as root) at times other than login?
If it's ok for it to run more often than strictly required, you could create a wrapper script that's executed at every ssh login with user permissions which uses sudo (with no password) to execute your script as root.
This, however, means that the users could also run it manually (as root) as often as they wanted to.



To set this up, add this line to /etc/pam.d/sshd



account optional pam_exec.so /etc/pam.d/LoginWrapper.sh



Then create the file /etc/pam.d/LoginWrapper.sh with contents:



#!/bin/bash
if [[ $EUID -ne 0 ]]; then # Execute only when a user other than root logs in
/usr/bin/sudo /path/to/your/root_script.sh
fi



Note that if your sudo is in a different path, you should update it above.



Now in /etc/sudoers add the line:



ALL ALL=(root) NOPASSWD: /path/to/your/root_script.sh






share|improve this answer





















  • Thanks for the help @Omnipresence but I still get pkill: killing pid 2629 failed: Operation not permitted when I try to run it. My root_script.sh is basically just pkill miner.sh
    – jamzsabb
    Aug 28 at 1:23










  • I updated my question with more info, I'm not really set on doing this any particular way, its just a simple thing that I wanted to do for convenience that has caused me to dig a lot deeper into Linux user permissions. At this point I want to do it just to prove it can be done!
    – jamzsabb
    Aug 28 at 11:58


















up vote
0
down vote



accepted










Solved this by adding all users to a group called mygroup



sudo groupadd mygroup

sudo usermod -aG mygroup user1

sudo usermod -aG mygroup user2


Then modifying /etc/sudoers to allow this group to execute sudo pkill without a password by adding the following to sudoers



%mygroup ALL=(ALL) NOPASSWD: /usr/bin/pkill



Then I just added the command sudo pkill to the bottom of /etc/profile and it worked a charm.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1350250%2fexecute-a-script-as-root-when-non-root-user-logs-in%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    pam_exec has you pointed in the right direction, but setuid is bad advice; most (all?) modern Linuxes ignore it on shell scripts and only respect it on binary executable files.



    Would it be a problem if the script was executed (as root) at times other than login?
    If it's ok for it to run more often than strictly required, you could create a wrapper script that's executed at every ssh login with user permissions which uses sudo (with no password) to execute your script as root.
    This, however, means that the users could also run it manually (as root) as often as they wanted to.



    To set this up, add this line to /etc/pam.d/sshd



    account optional pam_exec.so /etc/pam.d/LoginWrapper.sh



    Then create the file /etc/pam.d/LoginWrapper.sh with contents:



    #!/bin/bash
    if [[ $EUID -ne 0 ]]; then # Execute only when a user other than root logs in
    /usr/bin/sudo /path/to/your/root_script.sh
    fi



    Note that if your sudo is in a different path, you should update it above.



    Now in /etc/sudoers add the line:



    ALL ALL=(root) NOPASSWD: /path/to/your/root_script.sh






    share|improve this answer





















    • Thanks for the help @Omnipresence but I still get pkill: killing pid 2629 failed: Operation not permitted when I try to run it. My root_script.sh is basically just pkill miner.sh
      – jamzsabb
      Aug 28 at 1:23










    • I updated my question with more info, I'm not really set on doing this any particular way, its just a simple thing that I wanted to do for convenience that has caused me to dig a lot deeper into Linux user permissions. At this point I want to do it just to prove it can be done!
      – jamzsabb
      Aug 28 at 11:58















    up vote
    1
    down vote













    pam_exec has you pointed in the right direction, but setuid is bad advice; most (all?) modern Linuxes ignore it on shell scripts and only respect it on binary executable files.



    Would it be a problem if the script was executed (as root) at times other than login?
    If it's ok for it to run more often than strictly required, you could create a wrapper script that's executed at every ssh login with user permissions which uses sudo (with no password) to execute your script as root.
    This, however, means that the users could also run it manually (as root) as often as they wanted to.



    To set this up, add this line to /etc/pam.d/sshd



    account optional pam_exec.so /etc/pam.d/LoginWrapper.sh



    Then create the file /etc/pam.d/LoginWrapper.sh with contents:



    #!/bin/bash
    if [[ $EUID -ne 0 ]]; then # Execute only when a user other than root logs in
    /usr/bin/sudo /path/to/your/root_script.sh
    fi



    Note that if your sudo is in a different path, you should update it above.



    Now in /etc/sudoers add the line:



    ALL ALL=(root) NOPASSWD: /path/to/your/root_script.sh






    share|improve this answer





















    • Thanks for the help @Omnipresence but I still get pkill: killing pid 2629 failed: Operation not permitted when I try to run it. My root_script.sh is basically just pkill miner.sh
      – jamzsabb
      Aug 28 at 1:23










    • I updated my question with more info, I'm not really set on doing this any particular way, its just a simple thing that I wanted to do for convenience that has caused me to dig a lot deeper into Linux user permissions. At this point I want to do it just to prove it can be done!
      – jamzsabb
      Aug 28 at 11:58













    up vote
    1
    down vote










    up vote
    1
    down vote









    pam_exec has you pointed in the right direction, but setuid is bad advice; most (all?) modern Linuxes ignore it on shell scripts and only respect it on binary executable files.



    Would it be a problem if the script was executed (as root) at times other than login?
    If it's ok for it to run more often than strictly required, you could create a wrapper script that's executed at every ssh login with user permissions which uses sudo (with no password) to execute your script as root.
    This, however, means that the users could also run it manually (as root) as often as they wanted to.



    To set this up, add this line to /etc/pam.d/sshd



    account optional pam_exec.so /etc/pam.d/LoginWrapper.sh



    Then create the file /etc/pam.d/LoginWrapper.sh with contents:



    #!/bin/bash
    if [[ $EUID -ne 0 ]]; then # Execute only when a user other than root logs in
    /usr/bin/sudo /path/to/your/root_script.sh
    fi



    Note that if your sudo is in a different path, you should update it above.



    Now in /etc/sudoers add the line:



    ALL ALL=(root) NOPASSWD: /path/to/your/root_script.sh






    share|improve this answer












    pam_exec has you pointed in the right direction, but setuid is bad advice; most (all?) modern Linuxes ignore it on shell scripts and only respect it on binary executable files.



    Would it be a problem if the script was executed (as root) at times other than login?
    If it's ok for it to run more often than strictly required, you could create a wrapper script that's executed at every ssh login with user permissions which uses sudo (with no password) to execute your script as root.
    This, however, means that the users could also run it manually (as root) as often as they wanted to.



    To set this up, add this line to /etc/pam.d/sshd



    account optional pam_exec.so /etc/pam.d/LoginWrapper.sh



    Then create the file /etc/pam.d/LoginWrapper.sh with contents:



    #!/bin/bash
    if [[ $EUID -ne 0 ]]; then # Execute only when a user other than root logs in
    /usr/bin/sudo /path/to/your/root_script.sh
    fi



    Note that if your sudo is in a different path, you should update it above.



    Now in /etc/sudoers add the line:



    ALL ALL=(root) NOPASSWD: /path/to/your/root_script.sh







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Aug 20 at 14:48









    Omnipresence

    50926




    50926












    • Thanks for the help @Omnipresence but I still get pkill: killing pid 2629 failed: Operation not permitted when I try to run it. My root_script.sh is basically just pkill miner.sh
      – jamzsabb
      Aug 28 at 1:23










    • I updated my question with more info, I'm not really set on doing this any particular way, its just a simple thing that I wanted to do for convenience that has caused me to dig a lot deeper into Linux user permissions. At this point I want to do it just to prove it can be done!
      – jamzsabb
      Aug 28 at 11:58


















    • Thanks for the help @Omnipresence but I still get pkill: killing pid 2629 failed: Operation not permitted when I try to run it. My root_script.sh is basically just pkill miner.sh
      – jamzsabb
      Aug 28 at 1:23










    • I updated my question with more info, I'm not really set on doing this any particular way, its just a simple thing that I wanted to do for convenience that has caused me to dig a lot deeper into Linux user permissions. At this point I want to do it just to prove it can be done!
      – jamzsabb
      Aug 28 at 11:58
















    Thanks for the help @Omnipresence but I still get pkill: killing pid 2629 failed: Operation not permitted when I try to run it. My root_script.sh is basically just pkill miner.sh
    – jamzsabb
    Aug 28 at 1:23




    Thanks for the help @Omnipresence but I still get pkill: killing pid 2629 failed: Operation not permitted when I try to run it. My root_script.sh is basically just pkill miner.sh
    – jamzsabb
    Aug 28 at 1:23












    I updated my question with more info, I'm not really set on doing this any particular way, its just a simple thing that I wanted to do for convenience that has caused me to dig a lot deeper into Linux user permissions. At this point I want to do it just to prove it can be done!
    – jamzsabb
    Aug 28 at 11:58




    I updated my question with more info, I'm not really set on doing this any particular way, its just a simple thing that I wanted to do for convenience that has caused me to dig a lot deeper into Linux user permissions. At this point I want to do it just to prove it can be done!
    – jamzsabb
    Aug 28 at 11:58












    up vote
    0
    down vote



    accepted










    Solved this by adding all users to a group called mygroup



    sudo groupadd mygroup
    
sudo usermod -aG mygroup user1
    
sudo usermod -aG mygroup user2


    Then modifying /etc/sudoers to allow this group to execute sudo pkill without a password by adding the following to sudoers



    %mygroup ALL=(ALL) NOPASSWD: /usr/bin/pkill



    Then I just added the command sudo pkill to the bottom of /etc/profile and it worked a charm.






    share|improve this answer



























      up vote
      0
      down vote



      accepted










      Solved this by adding all users to a group called mygroup



      sudo groupadd mygroup
      
sudo usermod -aG mygroup user1
      
sudo usermod -aG mygroup user2


      Then modifying /etc/sudoers to allow this group to execute sudo pkill without a password by adding the following to sudoers



      %mygroup ALL=(ALL) NOPASSWD: /usr/bin/pkill



      Then I just added the command sudo pkill to the bottom of /etc/profile and it worked a charm.






      share|improve this answer

























        up vote
        0
        down vote



        accepted







        up vote
        0
        down vote



        accepted






        Solved this by adding all users to a group called mygroup



        sudo groupadd mygroup
        
sudo usermod -aG mygroup user1
        
sudo usermod -aG mygroup user2


        Then modifying /etc/sudoers to allow this group to execute sudo pkill without a password by adding the following to sudoers



        %mygroup ALL=(ALL) NOPASSWD: /usr/bin/pkill



        Then I just added the command sudo pkill to the bottom of /etc/profile and it worked a charm.






        share|improve this answer














        Solved this by adding all users to a group called mygroup



        sudo groupadd mygroup
        
sudo usermod -aG mygroup user1
        
sudo usermod -aG mygroup user2


        Then modifying /etc/sudoers to allow this group to execute sudo pkill without a password by adding the following to sudoers



        %mygroup ALL=(ALL) NOPASSWD: /usr/bin/pkill



        Then I just added the command sudo pkill to the bottom of /etc/profile and it worked a charm.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Sep 20 at 13:27

























        answered Sep 19 at 16:46









        jamzsabb

        1114




        1114






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1350250%2fexecute-a-script-as-root-when-non-root-user-logs-in%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            QoS: MAC-Priority for clients behind a repeater

            Image
            1 1 I've setup a wireless network using a Linksys-Router (DD-WRT) as an AP and a TP-Link repeater for range extension. To manage bandwith for specific users, I've setup QoS-Rules on the AP (DD-WRT) using MAC-Priority: However the AP shows only the Repeater's MAC and the MACs of users inside the AP-Range. The MAC addresses of users behind the Repeater are not listed : The purple MAC is not listed in the AP-Clientlist. Its related to a device connected via the TP-Link repeater. Q: How can I setup MAC-Priority for repeater-clients? Do I simply add the purple MAC in AP-MAC priority list although it's not listed as a client? I want to setup specific priority instead of giving one priority for all clients behind the repeater by adding the repeater's MAC in the MAC priority list in the AP as
            Read more

            Ивакино (Тотемский район)

            Image
            У этого топонима есть и другие значения, см. Ивакино. Деревня Ивакино 59°42′01″ с. ш. 42°01′36″ в. д. H G Я O Страна Россия   Россия Субъект Федерации Вологодская область Муниципальный район Тотемский район Сельское поселение Погореловское История и география Тип климата умеренно-континентальный Часовой пояс UTC+3 Население Население 33 человека ( 2002 ) Национальности русские Цифровые идентификаторы Почтовый индекс 161327 Код ОКАТО 19 246 848 008 Код ОКТМО 19 646 448 136 Прочее Рег. номер 6261 Показать/скрыть карты Ивакино Ивакино Ивакино Ивакино — деревня в Тотемском районе Вологодской области. Входит в состав Погореловского сельского поселения [1] , с точки зрения административно-территориального деления — в Погореловский сельсовет. Расстояние по автодороге до районного центра Тотьмы — 61,5 км, до центра муниципального образования деревни Погорелово — 1,5 км.
            Read more

            Can't locate Autom4te/ChannelDefs.pm in @INC (when it definitely is there)

            Image
            up vote 1 down vote favorite I've been running into trouble running make for a build process that I know works on a 32-bit Ubuntu VM. I am running a 64-bit Ubuntu VM, and I have a feeling that the 64-bit may be the problem, but am not entirely sure. Basically, when I run the make command, I get the following error: Can't locate Autom4te/ChannelDefs.pm in @INC (@INC contains: [...]/staging_dir/host/share/autoconf /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl .) at [...]/staging_dir/host/bin/autoreconf line 40. Now if I navigate to [...]/staging_dir/host/share/autoconf I can see that, contrary to what autoreconf thinks, Autom4te/ChannelDefs.pm definitely exists, so I don't really understand what
            Read more