I need to make a bash script to swith from user 1 to user 2 at system start up in linux and run the script to execute a command. I want this all happens without asking me the password of user 2.. Just to turn on the pc and login with usr 1 and everthing then run automatically.
Using sudo command, add the following to your sudoers file (using visudo command) :
user1 ALL=(user2) NOPASSWD: ALL
This allows the user user1 to run any command with the identity user2 using sudo command and without any password authentication. For instance :
user1$ sudo -u user2 whoami
user2
You can reduce the set of commands by listing the allowed commands instead of the "ALL" keyword in sudoers :
user1 ALL=(user2) NOPASSWD: /usr/bin/whoami, /bin/ls
You need the script itself to dynamically switch users and run commands?
Store those commands in another script and run that as user2.
echo "command1; command2; etc;">/tmp/file2run
sudo -u user2 bash /tmp/file2run
You can achieve this using here document as well
su user1 - <<END
id
## Do some user1 related activities
END
su user2 - << END
id
## Do some user2 related activities
END
su user1 - <<END
id
## continue user1 related activities
END
if user1 can access user2 without password, then you can put user2 here doc inside user1 here doc and make sure to use different delimiter if you are using nested here doc approach.
Related
How can I check if the current user has all privileges to use useradd and groupadd for creation of users and groups?
I don't want to request root privileges (e.g. requireing to be root or calling sudo) for my bash script unnecessarily. Instead I just want to ensure that the privileges are there to just use those commands.
The commands:
$ ls -l $(which useradd) $(which groupadd)
-rwxr-xr-x 1 root root 93136 Mai 28 2020 /usr/sbin/groupadd
-rwxr-xr-x 1 root root 147160 Mai 28 2020 /usr/sbin/useradd
As useradd and groupadd commands need some extra priviledges to run, you can setup access to sudo for specific commands like useradd and groupadd like below :-
Please go through it once, it will make most of the things clear to you
Controlling Access To sudo
The /etc/sudoers file configures the programs that users can access using sudo, along with whether or not a password will be needed.
The system administrator adds users to this file using the /usr/sbin/visudo command. Each non-comment line in the file has two parts:
A username ("<USER_NAME>"), or a group name ("%<GROUP_NAME>").
A list of machine names where a program may be run, or the keyword ALL. Following an equal sign (=), a list of user identities the command may be run as, enclosed in round brackets (parenthesis); the wildcard ALL may also appear. Finally, a list of applications that may be run as the named users; the keyword ALL is a wildcard.
The following examples should help make this clear:
<USER_NAME> ALL=(ALL) ALL
# User <USER_NAME> can execute any command as any user, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) shutdown
# User <USER_NAME> can execute only command shutdown, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
<USER_NAME> ALL=() NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
Once the system administrator has entered the necessary setup into the /etc/sudoers file, users can safely access privileged system resources and activities like this:
$ sudo useradd username
No awkward quoting on the command line, just prefix the command you want with the word sudo. If you want to run the command as a user other than root, just add the -u username switch:
$ sudo -u <USER_NAME> useradd username
There will be a log entry written to the /var/log/secure file to show who did the deed.
Of course, the sysadmin can configure sudo not to request a password. In this case, the command is immediately executed although the audit trail entry will still be written.
Reference :- Sudo Tutorial
Please reach in the comments section for any help
Will be glad to help !!!
Assuming that you need root or sudo to add new users (same for group), you can check if the user has sudo rights, by checking if he is in the corresponding groups.
getent group sudo // shows all users in groupd sudo
Dont know what system/distro you are on - but on arch for example sudoers are in group wheel...
On Linux debian-linux 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64 GNU/Linux,
you can try this way in your script.
groupadd 2>/dev/null ; if test $? -eq 2 ; then echo ok ; else echo bad ; fi
If you can access groupadd or useradd, the return value is 2 because there is missings arguments.
If you can't acess groupadd or useradd, the return value is 127.
I am trying to login as USER1 and switch user to USER2 and execute some scripts (100+ scripts, can't list them all out in the sudoer file one by one) as USER2
in the Sudoer file i have
USER1 ALL=(USER2) NOPASSWD: ALL
When i run the following as USER1
sudo su - USER2 -c "test.sh"
I get
Sorry, user USER1 is not allowed to execute '/bin/su - USER2 -c
test.sh' as root
if i run
sudo su - sassrv
I get
Sorry, user USER1 is not allowed to execute '/bin/su - USER2'
If i change the Sudoer file to
USER1 ALL=(ALL) NOPASSWD: /bin/su - USER2
It will let me switch user, but i am still getting
Sorry, user USER1 is not allowed to execute '/bin/su - USER2 -c
test.sh' as root
How can i achieve this?
You wanted to run test.sh as USER2 with sudo, but instead you run su as root.
su may in turn try to run test.sh as USER2, but that's beyond the scope and knowledge of sudo. From sudo's point of view, the only thing you're doing is trying to run a command as root.
Instead, ask sudo to run test.sh as USER2 directly:
sudo -u USER2 test.sh
PS: sudo su in any context is a code smell that indicates a lack of understanding of what sudo is and does.
I'm currently writing a .sh script to deploy different applications on 4 different machines. Right now I'm having trouble with running a script as another user. I need to log in with myUser with my credentials and then sudo su to user2 to run a specific script.
Normally, I would manually do the following:
ssh myUser#remotehost
[Type in password]
sudo su - user2
cd /path/only/accessible/to/user2
./someScript.sh
when I tried
ssh -t myUser#$remotehost "sudo su - user2 && /path/only/accessible/to/user2 && ./someScript.sh"
I was asked my password, then stayed logged as user2, without any feedback from the script, which would normally give me some informations.
What am I doing wrong?
Try
ssh -t myUser#$remotehost "sudo -u user2 /path/only/accessible/to/user2/someScript.sh"
If you need shell access after that you can use
ssh -t myUser#$remotehost "sudo -u user2 /path/only/accessible/to/user2/someScript.sh && /bin/bash -l"
An update if anyone wonders about this.
What I finally did was to log in with an ssh key. My sysadmin had to get involved in order to set it up, but at least it is a viable option.
ssh -i /path/to/sshKey user2#$remoteHost "/path/only/accessible/to/user2/someScript.sh"
I have a shell script moveInvoice.sh with chmod 777 permission as user test1 and all other scripts are under user test2.
Now I need to call moveInvoice.sh from test2 I tried following
sudo -c
sudo -u
But all are giving permission denied. Is there any other way to make it run with test2 user ?
once manually I am able to execute then I need to put this in crontab
You can set up a user on Linux to be able to run sudo without a password by adding a NOPASSWD option in visudo.
run sudo visudo as root and then add your user under privilege specification as SOMEUSER ALL=(ALL) NOPASSWD: ALL.
now, SOMEUSER will be able to run sudo commands without a password.
I am trying to create a Linux terminal menu by way of a simple script. Within the script it will have some commands that will submit a job (a shell script for example) as another user without password prompt.
I was able to find the following post and this worked. how to run script as another user without password
However, there was one side affect. It appears the user can run other scripts in that users folder which I don't want.
Any suggestions/help welcome.
For the sake of this. Here is what I have:
Username temp1, which is the user that will be running the menu.
uid=1001(temp1), gid=1001(temp1), groups=1001(temp1)
Username wayne, which is the user that the script must be submitted as to run the job
uid=1000(wayne), gid=1000(wayne),groups=1000(wayne),4(adm),24(cdrom),27(sudo),30(dip)...
Script script1.sh, script2.sh owned by wayne.
-rwxr-xr-x script1.sh
-rwxr-xr-x script2.sh
If I try to go to /home/wayne as temp1 user I get permission denied (expected)
I set the scripts to chmod 700 for wayne. So technically no one can run them other than wayne.
I have edited sudo file and have the following entry:
temp1 ALL(wayne) NOPASSWD: /home/wayne/script1.sh
When I run command su -c "/home/wayne/script1.sh" -s /bin/sh wayne the script runs (as expected)
When I run command su -c "/home/wayne/script2.sh" -s /bin/sh wayne the script runs (not expected).
Any ideas?
The answer is change from su to sudo.
su is primarily for switching users, while sudo is for executing commands as other users. The -u flag lets you specify which user to execute the command as:
sudo -u wayne '/home/wayne/script2.sh'
gives Sorry user is not allowed to execute
Solution: In order to run commands/scripts as another user on linux/unix you need sudo permission and run the following formula:
sudo -H -u <user> bash -c '<some-command>'
For example:
sudo -H -u wayne bash -c 'echo "user:$USER|home:$HOME|action:run_script"; ./home/wayne/script.sh'
from Documentation:
sudo allows a permitted user to execute a command as the superuser or
another user, as specified by the security policy.
-H The -H (HOME) option requests that the security policy set
the HOME environment variable to the home directory of the
target user (root by default) as specified by the password
database. Depending on the policy, this may be the default
behavior.
-u user The -u (user) option causes sudo to run the specified
command as a user other than root. To specify a uid
instead of a user name, use #uid. When running commands as
a uid, many shells require that the '#' be escaped with a
backslash ('\'). Security policies may restrict uids to
those listed in the password database. The sudoers policy
allows uids that are not in the password database as long
as the targetpw option is not set. Other security policies
may not support this.