I trying run a script without become the su user and I use this command for this:
echo "password" | sudo -S <command>
If I use this command for "scp", "mv", "whoami" commands, the command works very well but when I use for "chmod", the command asks for password for my user. I don't enter password and the command works. My problem is the system asks password to me. I don't want the system asks for password.
Problem ss is like this:
[myLocalUser#myServer test-dir]$ ls -lt
total 24
--wx-wx-wx 1 root root 1397 May 26 12:12 file1
--wx-wx-wx 1 root root 867 May 26 12:12 script1
--wx-wx-wx 1 root root 8293 May 26 12:12 file2
--wx-wx-wx 1 root root 2521 May 26 12:12 file3
[myLocalUser#myServer test-dir]$ echo "myPassw0rd" | sudo -S chmod 111 /tmp/test-dir/*
[sudo] password for myLocalUser: I DONT WANT ASK FOR PASSWORD
[myLocalUser#myServer test-dir]$ ls -lt
total 24
---x--x--x 1 root root 1397 May 26 12:12 file1
---x--x--x 1 root root 867 May 26 12:12 script1
---x--x--x 1 root root 8293 May 26 12:12 file2
---x--x--x 1 root root 2521 May 26 12:12 file3
You can use the sudoers file, located in /etc/sudoers, to allow specific users execute commands as root without password.
myLocalUser ALL=(ALL) NOPASSWD: /bin/chmod
With this line the user myLocalUser can execute chmod as root without a password is needed.
But this also breaks parts of the system security, so be aware not allow too much and fence the task as much as possible.
sudoers information
sudo -S prints prompt to stderr.
If you don't want to see it, redirect stderr to /dev/null
The following command redirects stderr at the local host:
echo <password> | ssh <server> sudo -S ls 2>/dev/null
It is equivalent to echo <password> | ssh <server> "sudo -S ls" 2>/dev/null
The following command redirects stderr at the remote server:
echo <password> | ssh <server> "sudo -S ls 2>/dev/null"
If you need to keep stderr, but hide [sudo] password for ... then you can use process substitution on the local or remote machine. Since sudo prompt has no newline, I use sed to cut out the sudo prompt. I do this to save the first line of stderr of the created process.
# local filtering
echo <password> | ssh <server> "sudo -S ls" 2> >(sed -e 's/^.sudo[^:]\+: //')
#remote filtering
echo <password> | ssh <server> "sudo -S ls 2> >(sed -e 's/^.sudo[^:]\+: //')"
Related
What does this command do in a Linux terminal?
chmod -r /home/daria/photos/
I got this question because there was no error
chmod is a utility that is used to change the permissions of a file or directory. You can use ls -l /path/to/file command to observe the changes of chmod.
❯ echo "XYZ" > /tmp/abc # Create a new file named abc
❯ ls -l /tmp/abc # List the permissions of /tmp/abc
-rw-r--r-- 1 abdulkarim wheel 4B Apr 3 13:17 /tmp/abc
❯ cat /tmp/abc # Display the contents of the file
XYZ
❯ chmod -r /tmp/abc # remove read permissions for User, Group and Others
❯ ls -l /tmp/abc # Notice the read perms are gone
--w------- 1 abdulkarim wheel 4B Apr 3 13:17 /tmp/abc
❯ cat /tmp/abc # We can no longer cat the file!
cat: /tmp/abc: Permission denied
So, the command chmod -r /path/to/file will revoke the read permissions for everyone. Similarly chmod +r will grant read permission to everyone.
The man page for chmod does not explain this, making it difficult for some users but once you know this, you cannot un-know this :)
I have a php script that will collection data and write log into a file, the directory belongs to an user called 'ingestion' and a group called 'ingestion'. I was using the command
sudo -u ingestion php [script] &>> /var/log/FOLDER/adapter.log
The owner and group of FOLDER is ingestion. However, the created adapter.log still belongs to root user and root group, how is this possible?
Your file is created by the bash running as root, not by the process that you run via sudo as ingestion.
That's because the >> foo is part of the command line, not of the process started by sudo.
Here:
#foo.sh
echo foo: `id -u`
Then:
tmp root# sudo -u peter bash foo.sh > foo
tmp root# ls -l foo
-rw------- 1 root staff 9 Mar 2 18:52 foo
tmp root# cat foo
foo: 501
You can see that the file is created as root but the foo.sh script is run as uid 501.
You can fix this by running e.g.:
tmp root# sudo -u peter bash -c "bash foo.sh > foo"
tmp root# ls -l foo
-rw------- 1 peter staff 9 Mar 2 18:54 foo
tmp root# cat foo
foo: 501
In your case, of course, replace "..." with your php command.
I seem to have a weird issue:
I want to restart a reverse ssh tunnel on boot, I've tried it with an init script (that works fine when executed as user) and with an added line in /etc/rc.d but none of it works. What I get after boot is:
$ ps ax | grep autossh
397 pts/10 S+ 0:00 grep --color=auto autossh
1351 ? Ss 0:00 /usr/lib/autossh/autossh -M 22221 -N -o PubkeyAuthentication=yes -o PasswordAuthentication=no -i ~/.ssh/etherwan.key -R 19999:localhost:22 ubuntu#server
but I'm unable to login from server. So I did the following after boot:
$ sudo killall -KILL autossh
[sudo] password for ron:
$ /usr/bin/autossh -M 22221 -f -N -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -i ~/.ssh/etherwan.key -R 19999:localhost:22 ubuntu#server
upon which I can login using port 19999 just fine!
The keys permissions look like: (but root should not need to care, would it?)
$ ls -l ~/.ssh/etherwan.key
-r-------- 1 ron ron 1675 Nov 6 04:15 /home/ron/.ssh/etherwan.key
Replace ~/.ssh/etherwan.key in your rc.d script with /home/ron/.ssh/etherwan.key
The '~' character is expanded to the user's home directory by the shell, but rc.d scripts are run as root.
I am working with Chef on EC2 instances, and created a user data script to be passed in through the knife ec2 command, which creates a new user, copies the public key file from the default ec2-user and sets the correct ownership and permissions.
#!/bin/bash
CHEFUSER="$(date +%s | sha256sum | base64 | head -c 32)"
useradd $CHEFUSER
echo $CHEFUSER 'ALL=(ALL) NOPASSWD:ALL' | tee -a /etc/sudoers
cp -f /home/ec2-user/.ssh/authorized_keys /tmp/
chown $CHEFUSER /tmp/authorized_keys
runuser -l $CHEFUSER -c 'mkdir ~/.ssh/'
runuser -l $CHEFUSER -c 'mkdir ~/.aws/'
runuser -l $CHEFUSER -c 'chmod 700 ~/.ssh/'
runuser -l $CHEFUSER -c 'mv -f /tmp/authorized_keys ~/.ssh/'
runuser -l $CHEFUSER -c 'chmod 600 ~/.ssh/authorized_keys'
Checking ownership and permissions seems to return as expected after running the script:
# ls -l .ssh/authorized_keys
-rw-------. 1 NWYzMThiMDBmNzljOTgxZmU1NDE1ZmE0 root 396 May 29 11:28 .ssh/authorized_keys
# stat -c '%a %n' .ssh/
700 .ssh/
# stat -c '%a %n' .ssh/authorized_keys
600 .ssh/authorized_keys
If I SSH with the new user, the key is rejected. On a new instance, if I copy/paste the same commands as root in the terminal (which is how the script runs according to Amazon), everything works fine and I can then SSH in with the new user.
If I use a login shell to login as root
then 'who' or 'users' commands
will show an entry for the root user.
However If I login with user1 and then use:
'su - root'
Then the 'who' and 'users' command will not show an entry for root.
Is there a way to find out whether there is a logged-in user in my system that has currently switched to root (or to any other account)?
Look at the /var/log/secure file.
Search for line like this:
Feb 6 14:12:09 myhost su: pam_unix(su-l:session): session opened for user root by root(uid=999)
the uid at the end of the string is the one of the original user.
Otherwise you can search for shells that executed su command and check who's the owner.
pgrep su | \
xargs -i sh -c "ps -p {} -o ppid=" | \
xargs -i ps -p {} -f
The result will be the uids of who is currently running su
I'm sure there's a more elegant method but nothing better comes to my mind right now.
Thanx to Davide Berra's answer, I think I have found what I was looking for.
> who | sort -k2 > /tmp/whoresult
> pgrep -x su | xargs -i ps hu -p{} | awk '{printf $7 " ";for (i=11; i<=NF; i++) printf $i " "; printf "\n"}' | sort -k1 | join -1 2 -2 1 /tmp/whoresult -
The output is something like:
pts/3 user1 2013-02-06 16:35 (:0.0) su - root #logged in as user1 and executed 'sudo - root'
pts/5 user1 2013-02-06 16:51 (:0.0) su #logged in as user1 executed 'sudo su'
tty2 root 2013-02-06 17:07 su - user1 #logged in as root and executed 'sudo - user1'