I am the sudo user (main_user) of my server (redhat8) and have many user accounts (user1, user2,....).
I can run installed application in server using main_user account but the other users are not able to execute the program or run the application.
** I have installed the applications/programs from main_user account which is not a root user but having sudo previlages.
What can be done to make the application and programs available to other users as well.
What I tried:
I have made alias in both ./bashrc and profile.d/all_user.sh, and source them but no luck.
You can implement sudo. First in /etc/sudoers file add line like:
user1,user2,user2 ALL=/path/to/the/program
If the users above are in specific group you can add something like:
%usergroup ALL=/path/to/the/program
And run the program like:
sudo -u main_user /path/to/the/program
I have a freeradius server setup with google authenticator to provide a basic working multi-factor setup.
Everything works when I run radiusd in debug mode as root. If I start it as a service, logons fail and this messages is recorded when processing messages:
radiusd(pam_google_authenticator)[1115]: Failed to read "/home/user#domain.com/.google_authenticator" for "user#domain.com"
I think this must be a permissions issue since it works fine when run as root.
I don't really want to edit the permissions on each secret file for every user.
I have tried specifying root in
/etc/raddb/radiusd.conf
user = root group = root
but still the service fails unless run from the command line as root. Does anyone have a nice elegant solution to this conundrum?
I think you should check out your systemd service file for radiusd. It might look something like:
https://github.com/ipfire/ipfire-3.x/blob/master/freeradius/systemd/freeradius.service
You can add User= and Group= in the [Service] section of the .service file if needed. See
https://unix.stackexchange.com/questions/347358/how-to-change-service-user-in-centos-7
and
https://serverfault.com/questions/806617/configuring-systemd-service-to-run-with-root-access
It would be a good idea to put the contents of the .service file for radiusd in your post.
I have nodejs webapp with postresql. I am running this using supervisord on the server. The problem is that the postgresql login from nodejs is failing. The error message is:
no PostgreSQL user name specified in startup packet
which basically means no user name is being passed from the webapp while connecting to the db.
Note that I am using unix socket for connecting to postgres from my webapp.
My webapp1.conf looks like:
[program:webapp1]
user=webapp1
command = node /home/webapp1/projects/webapp1/app.js
directory = /home/webapp1/projects/webapp1
autostart = true
autorestart = true
stdout_logfile = /var/log/supervisor/webapp1.log
stderr_logfile = /var/log/supervisor/webapp1_err.log
I have confirmed that supervisor is running the webapp is running under user webapp1.
One more thing - if I start my webapp by logging in as user webapp1, it works.
It sounds like you've got your server set up to use password-less logins to PostgreSQL-- i.e. you have local logins in your pg_hba.conf set to peer or trust so that as long as there's a user configured in postgres with the same name as your linux user, you don't have to do any further configuration to get Postgres working in your apps-- it effectively grants access to the db based on your Linux user account.
I had the same problem when running a simple nodejs script via cron. It worked fine from the shell, but complained of missing username when running via cron. Setting the username explicitly in code wasn't an option because I'd built my config to be as automatic as possible-- I needed it to figure out privileges by which user the script was running as.
It turns out that either the connector library or postgres itself infers the username from an environment variable. I was able to fix it by setting USER=<cron user name> at the top of my crontab (since this was set explicitly in the env of an interactive shell, which is why this works at all).
It looks like the proper syntax to add to your webapp1.conf would be:
environment=USER="<user name here>"
I am new to linux world. So please excuse for any stupid questions.
I have a linux machine and I don’t have root access. I have service account which have full access to app folder. My login (ssh) credentials don’t have access to that app folder.
So I will follow the below process.
1) Copy the app folder in windows machine to /tmp/ in linux using winscp.
2) Login to the machine using putty.
3) Change the user to service account using below command.
sudo su – “service account”
4) Then I will copy app files from /tmp/ folder to /app/ folder and start the other configurations.
I want to automate the above process. So for I did below.
#Copy files to tmp folder
winscp.com -hostkey=* user:"password"#host /command "put D:/app_folder/ /tmp/ app_folder"
#Execute the script remotely
plink user:#host -m D:\Install_app.sh
The above script is running fine until I run test echo commands. It is started throwing errors when I run configuration commands due to user don’t have access to app folder. Only service account has access. But service account doesn’t have remote login access. So I can’t run the script with service account.
So I tried to run commands inside the script with service account. I tried below
Echo “password” | sudo –S su - “service account” “commands”
It is not working. Could you please let me know is there any other way to achieve this. I want to change user inside the script, once script start executing.
Note: The process is following by linux admin team due to security reason. So I can’t change the process :(.
Background
My question seems simple, but it gets more complex really fast.
Basically, I got really tired of maintaining my servers manually (screams in background) and I decided it was time to find a way to make being a server admin much more liveable. That's when I found Ansible. Great huh? Sure beats making bash scripts (louder scream) for everything I wanted to automate.
What's the problem?
I'm having a lot of trouble figuring out what user my Ansible playbook will run certain things as. I also need the ability to specify what user certain tasks will run as. Here are some specific use cases:
Cloning a repo as another user:
My purpose with this is it run my node.js webapp from another user, who we'll call bill (that can only use sudo to run a script that I made that starts the node server, as opposed to root or my user that can use sudo for all commands). To do this, I need the ability to have Ansible's git module clone my git repo as bill. How would I do that?
Knowing how Ansible will gain root:
As far as I understand, you can set what user Ansible will connect to the server you're maintaining by defining 'user' and the beginning of the playbook file. Here's what I don't understand: if I tell it to connect via my username, joe, and ask it to update a package via the apt module, how will it gain root? Sudo usually prompts me for my password, and I'd prefer keeping it that way (for security).
Final request
I've scoured the Ansible docs, done some (what I thought was thorough) Googling, and generally just tried to figure it out on my own, but this information continues to elude me.
I am very new to Ansible, and while it's mostly straight-forwards, I would benefit greatly if I could understand exactly how Ansible runs, on which users it runs, and how/where I can specify what user to use at different times.
Thank you tons in advance
You may find it useful to read the Hosts and Users section on Ansible's documentation site:
http://docs.ansible.com/playbooks_intro.html#hosts-and-users
In summary, ansible will run all commands in a playbook as the user specified in the remote_user variable (assuming you're using ansible >= 1.4, user before that). You can specify this variable on a per-task basis as well, in case a task needs to run as a certain user.
Use sudo: true in any playbook/task to use sudo to run it. Use the sudo_user variable to specify a user to sudo to if you don't want to use root.
In practice, I've found it easiest to run my playbook as a deploy user that has sudo privileges. I set up my SSH keys so I can SSH into any host as deploy without using a password. This means that I can run my playbook without using a password and even use sudo if I need to.
I use this same user to do things like cloning git repos and starting/stopping services. If a service needs to run as a lower-privileged user, I let the init script take care of that. A quick Google search for a node.js init.d script revealed this one for CentOS:
https://gist.github.com/nariyu/1211413
Doing things this way helps to keep it simple, which I like.
Hope that helps.
My 2 cents:
Ansible uses your local user (eg Mike) to ssh to the remote machine. (That required Mike to be able to ssh to the machine)
From there it can change to a remote user if needed
It can also sudo if needed and if Mike is allowed. If no user is specified then root will be selected via your ~/.ansible.cfg on your local machine.
If you supply a remote_user with the sudo param then like no.3 it will not use root but that user.
You can specify different situations and different users or sudo via the playbooks.
Playbook's define which roles will be run into each machine that belongs to the inventory selected.
I suggest you read Ansible best practices for some explanation on how to setup your infrastructure.
Oh and btw since you are not referring to a specific module that ansible uses and your question is not related to python, then I don't find any use your question having the python tag.
Just a note that Ansible>=1.9 uses privilege escalation commands so you can execute tasks and create resources as that secondary user if need be:
- name: Install software
shell: "curl -s get.dangerous_software.install | sudo bash"
become_user: root
https://ansible-docs.readthedocs.io/zh/stable-2.0/rst/become.html
I notice current answers are a bit old and suffering from link rot.
Ansible will SSH as your current user, by default:
https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html#connecting-to-remote-nodes
Ansible communicates with remote machines over the SSH protocol. By default, Ansible uses native OpenSSH and connects to remote machines using your current user name, just as SSH does.
This can be overridden using:
passing the -u parameter at the command line
setting user information in your inventory file
setting user information in your configuration file
setting environment variables
But then you must ensure a route exists to SSH as that user. An approach to maintaining user-level ownership I see more often is become (root) and then to chown -R jdoe:jdoe /the/file/path.
In my 2.12 release of ansible I found the only way I could change the user was by specifying become: yes as an option at the play level. That way I am SSHing as the unprivileged, default, user. This user must have passwordless sudo enabled on the remote and is about the safest I could make my VPS. From this I could then switch to another user, with become_user, from an arbitrary command task.
Like this:
- name: Getting Started
gather_facts: false
hosts: all
become: yes # All tasks that follow will become root.
tasks:
- name: get the username running the deploy
command: echo $USER
become_user: trubuntu # From root we can switch to trubuntu.
If the user permitted SSH access to your remote is, say, victor, and not your current user, then remote_user: victor has a place at the play level, adjacent to become: yes.