Ubuntu – Run script at user login as root, with a catch

rootsambasudo

I'm trying to run a PHP script as root on user login. The PHP script adds a Samba share to the Samba config, thus the need for root privileges. The only issue here, is that the user doesn't exist yet. This system is integrated with active directory. So when a user logs in for the first time, a home directory for them is created under /home/DOMAIN/username.

I've found this question and that seems like the correct way to get what I want, but I'm having trouble with the syntax since I don't know the user's name.

Would it be something like:

ALL ALL=(ALL) NOPASSWD: /home/DOMAIN/*/createSambaShare.php

This doesn't seem to work as it is currently. Anyone have any ideas or a "scripted" way to add a Samba share on user login?

Since I've made other changes to /etc/skel, I just added the bash necessary to run the PHP script in .profile in there. This then gets copied to the "new" user's home and it tries to run the PHP script. But it fails, because these are not privileged users.

Changing permissions on the PHP script will not help. It needs to be run as sudo because it opens the Samba config file for writing. Letting any user run the PHP script would result in a PHP error.

The homes Samba directive doesn't work for my use case. I need the Samba share to exist once they exist on the server, even when they're not logged in.

Best Answer

Do not put the script in the user's home directory. Instead, put it in a fixed location. If the script needs some user-dependent arguments, make the script read that from a file — but you don't even need that since you're copying the script from /etc/skel anyway.

If you allow a user to run a script in their home directory with elevated privileges, then they can replace the script by another script. So your proposed rule would be equivalent from a security point of view to

ALL ALL=(ALL) NOPASSWD: /etc/skel/createSambaShare.php
MANY ALL=(ALL) NOPASSWD: ALL

where MANY is any user whose home directory is under /home/DOMAIN. (Ok, unless a user's home directory is owned by root, not writable to the user, and the script is not writable by or owned by the user either. But that would be pretty unusual.)

Also, I recommend not using ALL in a User specification. Restrict the rule to a group.

%sambasharers ALL=(ALL) NOPASSWD: /usr/local/bin/createSambaShare.php
Related Question