0

Im on ubuntu, and im running a foo.sh script in the background. How to protect it from being killed by the user with sudo? How to protect this process from myself?

I want the pc to shut down after watchdog notices the script process is killed. And cant I just kill the watchdog instead to trick this protection?

I installed watchdog, but i dont know how to use it. Please help, give me an example command.

.. In case you wonder, foo.sh is a script that shuts down my pc X minutes after running, like a scheduled shutdown. I want to schedule a shutdown, but I end up canceling it later. I must stop myself from canceling it.

MyWays
  • 257

1 Answers1

0

How to protect it from being killed by the user with sudo? How to protect this process from myself?

If you're the only user (so system-wide changes will only affect you), I think there is a way, a cumbersome trick.

  1. Ensure the script runs as root and only root can play with it (i.e. you need sudo to kill it).

  2. Prepare a copy of /etc/group:

    sudo cp -a /etc/group /etc/group.limited

  3. Edit the copy, so your user is not in the sudo group.

  4. Bind mount the copy over /etc/group:

    sudo mount --bind /etc/group.limited /etc/group

    From now on tools like pkexec or systemctl will deny elevated access because they will read the file and know you're not supposed to be in the sudo group.

    The change will not affect sudo easily. The tool may or may not rely on the sudo group. If it does, it will still perceive you in the group because you were in the group when you logged in. I guess you don't want to log out and in again. To trick sudo you need a separate step.

  5. Bind mount /dev/null over /etc/sudoers:

    sudo mount --bind /dev/null /etc/sudoers

    (or you can prepare an alternative sudoers file and mount it).

  6. Exit any elevated shell or elevated program that can run an arbitrary command as root.

These mounts are not permanent. Reboot and they are gone, and you're able to sudo again.

Note the solution not only prevents you from killing the script; it does (or tries to) prevent you from doing anything as root. This may not be what you want. Still if you maintained the ability to do some things as root, there would probably be a way to do more and kill the script eventually.

Treat this answer as a sketch. I cannot guarantee it disables all ways to elevate to root. In particular:

  • su - will still work if you provide the root password (you can bind mount /dev/null over /bin/su though, I guess).
  • I think in other distros the relevant group may be admin or wheel.
  • What you can do with pkexec depends on rules in /usr/share/polkit-1/ and /etc/polkit-1/ (and maybe other places?). The rules can be complex, so just removing yourself from the right group(s) may not be enough.
Kamil Maciorowski
  • 81,893