I am trying to login as USER1 and switch user to USER2 and execute some scripts (100+ scripts, can't list them all out in the sudoer file one by one) as USER2
in the Sudoer file i have
USER1 ALL=(USER2) NOPASSWD: ALL
When i run the following as USER1
sudo su - USER2 -c "test.sh"
I get
Sorry, user USER1 is not allowed to execute '/bin/su - USER2 -c
test.sh' as root
if i run
sudo su - sassrv
I get
Sorry, user USER1 is not allowed to execute '/bin/su - USER2'
If i change the Sudoer file to
USER1 ALL=(ALL) NOPASSWD: /bin/su - USER2
It will let me switch user, but i am still getting
Sorry, user USER1 is not allowed to execute '/bin/su - USER2 -c
test.sh' as root
How can i achieve this?
You wanted to run test.sh as USER2 with sudo, but instead you run su as root.
su may in turn try to run test.sh as USER2, but that's beyond the scope and knowledge of sudo. From sudo's point of view, the only thing you're doing is trying to run a command as root.
Instead, ask sudo to run test.sh as USER2 directly:
sudo -u USER2 test.sh
PS: sudo su in any context is a code smell that indicates a lack of understanding of what sudo is and does.
Related
I need to make a bash script to swith from user 1 to user 2 at system start up in linux and run the script to execute a command. I want this all happens without asking me the password of user 2.. Just to turn on the pc and login with usr 1 and everthing then run automatically.
Using sudo command, add the following to your sudoers file (using visudo command) :
user1 ALL=(user2) NOPASSWD: ALL
This allows the user user1 to run any command with the identity user2 using sudo command and without any password authentication. For instance :
user1$ sudo -u user2 whoami
user2
You can reduce the set of commands by listing the allowed commands instead of the "ALL" keyword in sudoers :
user1 ALL=(user2) NOPASSWD: /usr/bin/whoami, /bin/ls
You need the script itself to dynamically switch users and run commands?
Store those commands in another script and run that as user2.
echo "command1; command2; etc;">/tmp/file2run
sudo -u user2 bash /tmp/file2run
You can achieve this using here document as well
su user1 - <<END
id
## Do some user1 related activities
END
su user2 - << END
id
## Do some user2 related activities
END
su user1 - <<END
id
## continue user1 related activities
END
if user1 can access user2 without password, then you can put user2 here doc inside user1 here doc and make sure to use different delimiter if you are using nested here doc approach.
I have a shell script moveInvoice.sh with chmod 777 permission as user test1 and all other scripts are under user test2.
Now I need to call moveInvoice.sh from test2 I tried following
sudo -c
sudo -u
But all are giving permission denied. Is there any other way to make it run with test2 user ?
once manually I am able to execute then I need to put this in crontab
You can set up a user on Linux to be able to run sudo without a password by adding a NOPASSWD option in visudo.
run sudo visudo as root and then add your user under privilege specification as SOMEUSER ALL=(ALL) NOPASSWD: ALL.
now, SOMEUSER will be able to run sudo commands without a password.
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p
I am unable to create a directory using sudo priveleges from root user and If I login to user , I can create an directory under /root using sudo. Also I have added to allow all commands in /etc/sudoers file and the details are below:
[root#linux home]# cat /etc/sudoers | grep tes
test ALL= NOPASSWD: ALL
Error
[root#linux home]# sudo -u test mkdir /var/log/test3
mkdir: cannot create directory ‘/var/log/test3’: Permission denied
Any Ideas ?
Thanks
By running 'sudo -u test', you're giving yourself lower privileges than the roor user because you're running the command as the user 'test', not 'root'. From the root user, you can just run:
mkdir /var/log/test3
Read man sudo for more info.
Or:
Run visudo and uncomment the wheel group, then add the user test to the wheel group.
If you don't mind me asking, why do you need to create a directory as a certain user from the root user? Especially since the directory you're making will not be user specific?
Also, in the sudoers file , you should what added test ALL=(ALL) NOPASSWD: ALL, not test ALL= NOPASSWD: ALL
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p