Run A Script As root Without sudo

Ever had to…?

Run a s script as root without sudo? Well I did and I’ll explain why and how in this little blog post.

Why

I wanted to run a script on my Synology NAS through ssh, but I found out it needed sudo to run.
The script was to trigger a new render of my website. My website runs in a docker container and docker runs as root on linux, so in order to render I have to run a docker command and that needs sudo.
But how to do this without it?

How

On linux it is possible to run a script as root if you configure it through the visodu command.
This command is not available on the Synology linux distro so I had to edit the /etc/sudoers file myself.

This is tricky because if you make a mistake you can it could brake sudo. So before you make any changes there
I would advice to open multiple sessions to your nas and become on one of those sessions root (sudo su) and
dot the work in the other session. That would at least give you an already started root session if
you break it in the other session, so you can fix stuff

now do the following:

1
2
3
4
5
6
7
8
9
sudo su # Become the super user
cd /etc/sudoers.d
vi your_username_here
i # insert mode in vi
your_username_here ALL=(root) NOPASSWD: /path/to/script/you/want/to/run
your_username_here ALL=(root) NOPASSWD: /usr/local/bin/docker
<esc>
:wq! # write, quit and yes even though it might be read only do it!
chmod 0400 your_username_here # read rights only for root

Now before you leave this session as root try to become root in another session. If you can the config is correct,
if not revert your changes in this session

Now you have given yourself permission to run these programs / scripts as root without the need of the sudo command

In my script I had this command /usr/local/bin/docker exec www.ivonet.nl hexo generate and that resulted in this error

1
2
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: 
Post http://%2Fvar%2Frun%2Fdocker.sock/.../exec: dial unix /var/run/docker.sock: connect: permission denied

So my command actually worked but some other stuff was wrong. Docker did not ask for a password or complain that it could not run.
No another file did have the wrong rights.

Time to define a group for docker.

1
2
3
4
5
6
7
8
9
synogroup --add docker your_username_here
```

this wil create a group called docker and add your user to that group. Now change the owner of the `/var/run/docker.sock` file and make the script you want to run also of that ownership.

```bash
sudo chown root:docker /var/run/docker.sock
sudo chown root:docker /path/to/script/you/want/to/run
sudo chmod +x /path/to/script/you/want/to/run # to make it executable

now try running this script again.
it should work like a charm without the need of sudo.

I can now run a script like this and it will not ask me for a password.

1
ssh your_username_here@your_nas_ip_here -t sudo /path/to/script/you/want/to/run

of course you need public / private keys configured to log in with ssh without the need for a password, but that is another story I might already have blogged about 😄.

Danger, danger

Note that users with such a script and belonging to the docker group could potentially execute root commands through docker containers
nothing would prevent such a user to mount / as a volume in his container and as docker runs as root you would have root access.
As I am the only user on my NAS it is not a problem, but something to think about if you have multiple users.

For the reader

I hope that this will help you resolve your need if it arises :-)
If you have suggestions or just a thank you, you can always leave a comment below…