I'm currently writing a .sh script to deploy different applications on 4 different machines. Right now I'm having trouble with running a script as another user. I need to log in with myUser with my credentials and then sudo su to user2 to run a specific script.
Normally, I would manually do the following:
ssh myUser#remotehost
[Type in password]
sudo su - user2
cd /path/only/accessible/to/user2
./someScript.sh
when I tried
ssh -t myUser#$remotehost "sudo su - user2 && /path/only/accessible/to/user2 && ./someScript.sh"
I was asked my password, then stayed logged as user2, without any feedback from the script, which would normally give me some informations.
What am I doing wrong?
Try
ssh -t myUser#$remotehost "sudo -u user2 /path/only/accessible/to/user2/someScript.sh"
If you need shell access after that you can use
ssh -t myUser#$remotehost "sudo -u user2 /path/only/accessible/to/user2/someScript.sh && /bin/bash -l"
An update if anyone wonders about this.
What I finally did was to log in with an ssh key. My sysadmin had to get involved in order to set it up, but at least it is a viable option.
ssh -i /path/to/sshKey user2#$remoteHost "/path/only/accessible/to/user2/someScript.sh"
Related
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p
I'm creating a virtual machine configuration script using whiptail that I'd like to have automatically start after the user logs in. The thing is, that I don't want the user to be root, however because the user will need to be able to change things like hostname, ip address, add directories, etc. they'll need sudo privileges in order for the script to actually do it's job.
What I've done so far is created a user that uses my whiptail shell script:
adduser -M -s /scripts/whiptail_config.sh user1
I've also added user1 to sudoers using visudo:
user1 ALL=(root) NOPASSWD: /scripts/whiptail3_config.sh
And I've changed /etc/init/tty1.conf to automatically log that user in:
exec /sbin/getty -8 38400 tty1 -a user1
Up to this point, my whiptail_config.sh shell script loads fine after bootup and the forced login. However, anything that actually requires the sudo access within the script errors out with the Permission denied... message.
Is what I'm looking to do possible? Are there alternatives that I haven't considered and should? Thanks!
If /scripts/whiptail3_config.sh doesn't do a sudo, then it won't have permissions. You can make the script check the uid under which it's running and sudo to itself.
Something like
#!/bin/bash
[ $UID != 0 ] && exec sudo $0 "$#"
# the rest of the script...
Where do you use sudo? Nowhere.
Run the script directly from inittab.
I am trying to create a Linux terminal menu by way of a simple script. Within the script it will have some commands that will submit a job (a shell script for example) as another user without password prompt.
I was able to find the following post and this worked. how to run script as another user without password
However, there was one side affect. It appears the user can run other scripts in that users folder which I don't want.
Any suggestions/help welcome.
For the sake of this. Here is what I have:
Username temp1, which is the user that will be running the menu.
uid=1001(temp1), gid=1001(temp1), groups=1001(temp1)
Username wayne, which is the user that the script must be submitted as to run the job
uid=1000(wayne), gid=1000(wayne),groups=1000(wayne),4(adm),24(cdrom),27(sudo),30(dip)...
Script script1.sh, script2.sh owned by wayne.
-rwxr-xr-x script1.sh
-rwxr-xr-x script2.sh
If I try to go to /home/wayne as temp1 user I get permission denied (expected)
I set the scripts to chmod 700 for wayne. So technically no one can run them other than wayne.
I have edited sudo file and have the following entry:
temp1 ALL(wayne) NOPASSWD: /home/wayne/script1.sh
When I run command su -c "/home/wayne/script1.sh" -s /bin/sh wayne the script runs (as expected)
When I run command su -c "/home/wayne/script2.sh" -s /bin/sh wayne the script runs (not expected).
Any ideas?
The answer is change from su to sudo.
su is primarily for switching users, while sudo is for executing commands as other users. The -u flag lets you specify which user to execute the command as:
sudo -u wayne '/home/wayne/script2.sh'
gives Sorry user is not allowed to execute
Solution: In order to run commands/scripts as another user on linux/unix you need sudo permission and run the following formula:
sudo -H -u <user> bash -c '<some-command>'
For example:
sudo -H -u wayne bash -c 'echo "user:$USER|home:$HOME|action:run_script"; ./home/wayne/script.sh'
from Documentation:
sudo allows a permitted user to execute a command as the superuser or
another user, as specified by the security policy.
-H The -H (HOME) option requests that the security policy set
the HOME environment variable to the home directory of the
target user (root by default) as specified by the password
database. Depending on the policy, this may be the default
behavior.
-u user The -u (user) option causes sudo to run the specified
command as a user other than root. To specify a uid
instead of a user name, use #uid. When running commands as
a uid, many shells require that the '#' be escaped with a
backslash ('\'). Security policies may restrict uids to
those listed in the password database. The sudoers policy
allows uids that are not in the password database as long
as the targetpw option is not set. Other security policies
may not support this.
I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.
I would like the following command to run:
su user2 -C script.sh
but be able to run without password.
I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.
I've tried doing this with sudoers file and just got endlessly confused after hours of trying.
If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.
try running:
su -c "Your command right here" -s /bin/sh username
This will run the command as username given that you have permissions to sudo as that user.
Call visudo and add this:
user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh
The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.
`su -c "Your command right here" -s /bin/sh username`
The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example;
execl: couldn't exec /bin/sh
execl: Permission denied
I had to install setroubleshoot and setools and run the following to allow it:
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p
I want to know if i can somehow or someway run a remote linux script stored in windows machine through putty which can contain:
#!/bin/bash
su
<password>
<some operation which needs root permissions>
exit
<some operation with normal user credentials>
Since i tried above script but it does ask root password and then give error of not able to run commands and needed root access. I ran this script from putty using command line:
putty -ssh normaluser#linuxhost -pw <password> -t -m C:\myRootScript.sh
Thanks for answers
Ashutosh
Either login as the root user (not recommended!) or add the user that you're login in with to the sudoers file
sudo visudo
myusername ALL=(ALL) NOPASSWD: ALL
That will let you run sudo without a password.