Problem to execute as root user a shell script in Linux

Hi

We are working in the following fixlet:

/////////////////////////////////////////////////////////////
// Descarga de paquetes
/////////////////////////////////////////////////////////////

if {name of operating system starts with “Linux”}
prefetch sshkey-scanner-localonly.sh sha1:015de8d5d4625880197ae55231a1a3b5b7096898 size:17429 GTSProtocol://127.0.0.1:52311/Uploads/015de8d5d4625880197ae55231a1a3b5b7096898/sshkey-scanner-localonly.sh
parameter “OS_script”="sshkey-scanner-localonly.sh"
endif

if {name of operating system starts with “AIX”}
prefetch sshkey-scanner-localonly.ksh sha1:e1cfe970300174e22007b3a35c64b52066c188b1 size:16943 GTSProtocol://127.0.0.1:52311/Uploads/e1cfe970300174e22007b3a35c64b52066c188b1/sshkey-scanner-localonly.ksh
parameter “OS_script”="sshkey-scanner-localonly.ksh"
endif

if {name of operating system starts with “Sun”}
prefetch sshkey-scanner-localonly.ksh sha1:e1cfe970300174e22007b3a35c64b52066c188b1 size:16943 GTSProtocol://127.0.0.1:52311/Uploads/e1cfe970300174e22007b3a35c64b52066c188b1/sshkey-scanner-localonly.ksh
parameter “OS_script”="sshkey-scanner-localonly.ksh"
endif

if {name of operating system starts with “HP-UX”}
prefetch sshkey-scanner-localonly.ksh sha1:e1cfe970300174e22007b3a35c64b52066c188b1 size:16943 GTSProtocol://127.0.0.1:52311/Uploads/e1cfe970300174e22007b3a35c64b52066c188b1/sshkey-scanner-localonly.ksh
parameter “OS_script”="sshkey-scanner-localonly.ksh"
endif

/////////////////////////////////////////////////////////////
// Inicio de ejecucion del script
/////////////////////////////////////////////////////////////

delete __appendfile
appendfile mv "_Download/{parameter “OS_script”}" "/tmp/{parameter “OS_script”}"
appendfile chmod -R 775 "/tmp/{parameter “OS_script”}"
appendfile “/tmp/{parameter “OS_script”}” >> "/tmp/ssh_keys
hostname.log"
delete run.sh
move __appendfile run.sh
wait chmod 775 run.sh
wait sh ./run.sh

As you can see, we work with different platforms. For the most of them we use a ksh script, but for Linux we need to send a sh script.

On the other hand for Linux has been observed is needed execute the sh script as root user, and we used two different ways but with the same error. Fixlet says Exit code 0 but locally in the Linux server in /tmp we can not see as the script is loaded and executed-

The two different ways uses were:

1º Way

delete __appendfile
appendfile mv "_Download/{parameter “OS_script”}" "/tmp/{parameter “OS_script”}"
appendfile chmod -R 775 "/tmp/{parameter “OS_script”}"
appendfile “/tmp/{parameter “OS_script”}” >> "/tmp/ssh_keys
hostname.log"
delete run.sh
move __appendfile run.sh
wait chmod 775 run.sh

if {name of operating system starts with “Linux”}
//wait sh runuser -l root -c “./run.sh” 1º
//wait su - root -c sh ./run.sh 2º
wait runuser -l root -c sh ./run.sh
else
wait sh ./run.sh
endif

2º Way

/////////////////////////////////////////////////////////////
// Inicio de ejecucion del script
/////////////////////////////////////////////////////////////

if {name of operating system starts with “Linux”}
delete __appendfile
appendfile mv "_Download/{parameter “OS_script”}" "/tmp/{parameter “OS_script”}"
appendfile chmod -R 775 "/tmp/{parameter “OS_script”}"
appendfile “/tmp/{parameter “OS_script”}” >> "/tmp/ssh_keys
hostname.log"
delete run.sh
move __appendfile run.sh
wait chmod 775 run.sh
wait runuser -l root -c sh ./run.sh
else
delete __appendfile
appendfile mv "_Download/{parameter “OS_script”}" "/tmp/{parameter “OS_script”}"
appendfile chmod -R 775 "/tmp/{parameter “OS_script”}"
appendfile “/tmp/{parameter “OS_script”}” >> "/tmp/ssh_keys
hostname.log"
delete run.sh
move __appendfile run.sh
wait chmod 775 run.sh
wait sh ./run.sh
endif

But with any of them we obtained a good result.

Please can you help me ?

Thanks in advance

As I understand it, the client should run AS root so all commands issued from it already have the elevated privilege?

Yes the agent will execute as root
Make sure your environment is OK see this tip

Hi

I tryed your task for check env and the result in the machine in which we were testing, and the result is:

cat /tmp/besenv

LCF_LIBDIR=/opt/Tivoli/lcf/lib/linux-ix86
BESClientActionMastheadPath=/etc/opt/BESClient/actionsite.afxm
SHELL=/bin/bash
TERM=xterm
ENDPOINT_OID=1323961648.1207.522+#TMF_Endpoint::Endpoint#
HISTSIZE=32765
KDE_NO_IPV6=1
TISDIR=/opt/Tivoli/lcf/dat/1
LOG_PIPE_WRITE=2
QTDIR=/usr/lib/qt-3.3
QTINC=/usr/lib/qt-3.3/include
USER=root
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:.cmd=00;32:.exe=00;32:.com=00;32:.btm=00;32:.bat=00;32:.sh=00;32:.csh=00;32:.tar=00;31:.tgz=00;31:.arj=00;31:.taz=00;31:.lzh=00;31:.zip=00;31:.z=00;31:.Z=00;31:.gz=00;31:.bz2=00;31:.bz=00;31:.tz=00;31:.rpm=00;31:.cpio=00;31:.jpg=00;35:.gif=00;35:.bmp=00;35:.xbm=00;35:.xpm=00;35:.png=00;35:.tif=00;35:
LD_LIBRARY_PATH=/opt/Tivoli/lcf/dat/1/cache/lib/linux-ix86:/opt/Tivoli/lcf/dat/1:/opt/Tivoli/lcf/lib/linux-ix86:/usr/lib
KDEDIR=/usr
LCF_BINDIR=/opt/Tivoli/lcf/bin/linux-ix86/mrt
INTERP=linux-ix86
NLSPATH=/opt/Tivoli/lcf/generic/msg_cat/%L/%N.cat:/opt/Tivoli/lcf/generic/msg_cat/%l/%N.cat:/opt/Tivoli/lcf/generic/msg_cat/C/%N.cat
MAIL=/var/spool/mail/root
PATH=/sbin:/usr/sbin:/bin:/usr/bin
_=/bin/env
INPUTRC=/etc/inputrc
PWD=/var/opt/BESClient/__BESData/CustomSite_IBM-2dGestion
LANG=es_ES.UTF-8
KDE_IS_PRELINKED=1
LCF_TEMPDIR=/tmp/
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
ENDPOINT=ces_celiap25 (Endpoint)
SHLVL=6
HOME=/root
LCF_DATDIR=/opt/Tivoli/lcf/dat/1
LOGNAME=root
QTLIB=/usr/lib/qt-3.3/lib
CVS_RSH=ssh
LESSOPEN=|/usr/bin/lesspipe.sh %s
PROMPT_COMMAND=history -a
DISPLAY=:0.0
LCFROOT=/opt/Tivoli/lcf
XAUTHLOCALHOSTNAME=localhost
LCF_CACHEDIR=/opt/Tivoli/lcf/dat/1/cache
HISTTIMEFORMAT=%F %T
G_BROKEN_FILENAMES=1
HISTFILE=/var/adm/hist/root/.bash_history.es087925.as.root.on.20140508
XAUTHORITY=.Xauthority
LCF_INSTANCE=1

But really I don’t know how to identify if really here we can get some root cause.

Please can you help ?

The Agent runs as root so you should not need to use

wait runuser -l root

Use the same call for all your scripts

wait sh ./run.sh 

If you need to further troubleshoot:

  • Make sure your action is creating the script file correctly
  • Make sure your script file runs in a terminal session as root user
  • Compare the output of the environment above with the environment of an terminal session and check if any differences will be important for your script

From your output it shows the Client is running as root. Any task it spawns will have root privilege

Hi All

Them problem seems solved. it seems the script we were sending was in a wrong format.
Transfromed the script en dos2unix and now we can execute correctly the scritpt with:

 delete __appendfile 
appendfile mv "_Download/{parameter "OSscript"}" "/tmp/{parameter "OS_script"}" 
appendfile chmod -R 775 "/tmp/{parameter "OS_script"}" 
appendfile "/tmp/{parameter "OS_script"}" >> "/tmp/ssh_keys_hostname.log" 
delete run.sh 
move __appendfile run.sh 
wait chmod 775 run.sh 
wait sh ./run.sh 

Thanks you very much for your help.

1 Like

Just a note here, if you are running shell to run the script you don’t need to change your permissions. You don’t even need to rename the file actually. In fact on some systems this won’t work as the /tmp is not allowed to hold executables. Same is true for /var/tmp on some systems.

Its also better to remember to create the shell script with the first line being:

appendfile #!/bin/sh

And to run it with

wait /bin/sh ./run.sh

as this avoids some path confusion and is more secure

1 Like

Thanks to all for your help, it was very usefull

1 Like

I used this and it works well: :smiley:

//Copy Shell to Location:
wait mkdir -p "/Library/ShellExecuter"
move "__Download/install.sh" "/Library/ShellExecuter/install.sh"

//Execute Shell Script:

wait chmod -R 755 /Library/ShellExecuter
wait /bin/sh -c "(cd /Library/ShellExecuter/ && chmod +x install.sh)"
wait /bin/sh -c "(cd /Library/ShellExecuter/ && ./install.sh -i)"

//do some stuff after 300 seconds
parameter "start" = "{now}"
pause while {now < ( ((  parameter "start" of action  ) as time ) + 300* second)}

//Remove Shell File:
wait sh -c "rm '/Library/ShellExecuter/install.sh'"