Currently I'm working on a perl script (for Debian based OS'es) that automatically installs some software packages. Therefore the script needs root privileges. As you all know this can be done by adding sudo before the command.
For some configurations however, the terminal user may not be the root. So my question is, how can I decrease the privileges and return to the user that opened the terminal.
I already tried the following code, but it closes the terminal and thats not what I want.
$result = `exit`;
When you're root, you can use sudo -u user cmd... to run a command as user. Since you're already root, it won't ask for a password.
Related
I have django server installed under ownership of user say 'X'. Now I want to switch to user 'Y' and execute some scripts. Currently for changing user I am using sudo su "Y" -c "commands to execute" . I have added user "X" in sudoers file so that now it does not ask for a password.
Is there any way to do it without sudo.I have already tried it by editing /etc/pam.d/su file so that it does not ask for password when user X runs "su Y" without sudo.
Is there any other way in which this can be achieved?
You can use setuid bit for script, I think.
chmod a+u your_script_to_execute
will do the trick. Then any user will launch this script with priviligies of it's owner
You can read more at https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits
I am running a script in background using fabric. To do that I am using below mentioned function.
def init_db(var):
with cd("%s/scripts" % var):
sudo (" nohup ./init_database.sh &> initdatabase.out &", pty=False)
I have to use pty=False to do it in backgound but this fails as in sudoers file "Defaults requiretty" option is mentioned which does not allow me to run sudo from fabric without pty.
I cannot edit the sudoers file all the time for every server, can anyone please give me some other solution.
Thanks,
Imran Teli
Warning: This is not safe! Do not use this!
Fabric supports giving the sudo password in the shell command:
fab --password=password [...]
However, this means the password may be stored in the shell history, log files and other random places where they could be easily retrieved by anyone having any sort of access to the box.
The safe way to do this is, as you mentioned, setting up sudoers to allow exactly the things you expect the script to do, and nothing else, without a password.
I would like my root-requiring bash script to be run from IntelliJ/WebStorm, asking me for the root password when I run it. Having my root password hardcoded in the script is a bad idea of course.
IntelliJ/WebStorm actually has a $Prompt$ macro for reasons like this, which prompts you and uses your input as a value.
So I tried using $Prompt$ along with echo YOURPASSWORD | sudo -S yourcommand as described in use-sudo-with-password-as-parameter.
Then I pass passwd & script to run to a sudorun.sh script echo -e $1 | sudo -S $2 $3 $4 (since echo can't be be the 'program' line) which although works on the CLI, it fails to read echo-stdin on the IntelliJ console.
Ideally, I would like the solution to be configured solely from within IntelliJ and not require specific OS configuration changes outside of IntelliJ.
Perhaps there are other ways to deal with this, so lets improvise!
I, too, faced the same issue, but I work with sensitive data on my development machine and removing the password requirement for sudoers just isn't an option.
I was able to resolve this issue by launching the actual WebStorm application from the command line using the sudo command as follows:
sudo /Applications/WebStorm.app/Contents/MacOS/webide
Once WebStorm/PhpStorm are launched this way, you can run a script with root access without supplying root credentials.
Use the NOPASSWD feature of sudo. Add a rule like so to sudoers (via visudo or similar):
someuser ALL = NOPASSWD: /usr/bin/interesting_program
%somegroup ALL = NOPASSWD: /usr/bin/interesting_program
I find myself automating a lot of my workflow, and running into the same issue. I don't want to punch a hole in my sudoer permissions, and I don't want to run my IDE as root either. A good solution that I've found is gksudo, on Ubuntu and many other Linux variants you'll find it installed by default. What gksudo does is it allows you to prompt the user(yourself) to input your password with a graphic overlay, much like Ubuntu/KDE/etc. do when you need to be root to perform an operation such as an update.
This will then prompt you to provide your password to escalate privilege, then execute a given command/program as root.
In the Edit Tool Window simply:
Set the Program to /usr/bin/gksudo
gksudo may be located at a different path, try: whereis gksudo to find its path
Set Parameters to all commands you want to execute in quotes
Ex. "mongod --fork --config /etc/mongodb.conf; service elasticsearch start"
Make sure you have the quotes!
Set a working directory(if needed)
I'm writing a bash script that requires root access and so what I need to do is write something like
$my_psswd >> sudo some_command parameter1 parameter2
to automate the process. I'm not concerned if this opens up security holes. This is more or less of an example that I can think of. But the problem is that when I initiate sudo anything, it asks for user input which I'm not sure how automate or provide as a variable.
I've tried things like
$my_psswd >1 sudo something
echo $my_psswd | sudo something
but none of this is what I want. Also this has to be a bash script, I can't use a program like expect. Thanks.
You need -S switch for sudo command:
-S The -S (stdin) option causes sudo to read the password from the standard input instead of the terminal device. The password must be followed by a newline character
I recommend against doing this at all. You will be storing your password in plain text which means other people may have access to it. Or it will be visible in process listings, again available to other users.
There are a couple of alternatives to prevent this:
Run the entire script using sudo. Do not use sudo in the script itself but run the entire things with elevated privileges. The downside is off course that your might be executing things with elevated privileges that do not require it but with no more background that's impossible to say.
Better would be to configure your account to execute those specific commands through sudo without providing a password. That way you can execute only the commands that need it with elevated prvileges without the problem of providing a password.
A workaround could be to run sudo -l before calling the script. That way sudo will have an active session and won't prompt for a password. This is only a workaround and would fail if one of the commands takes longer to execute than the configured grace time for sudo. But in small scripts this might be an easy fix.
Try echo $PW | sudo -S cmd
It may work for you.
you are not suppose to use sudo this way, use visudo to specify what commands are allowed to what users, then you don't need to worry about passwords.
This is about me being stressed by playing the game "type a command and remember to prepend sudo or your fingers will get slapped".
I am wondering if it is possible somehow to configure my Linux system or shell such that when I forget to type e.g. "sudo apt-get install emacs", instead of just telling me that I did something wrong, gksudo would get launched, allowing me to acknowledge my credentials and get on moving. Just like UAC does on windows.
Googling hasn't helped me yet..
So is this possible? Did I miss something? Or am I asking for a square circle?
Edit 2010 July 25th: Thanks everyone for your interrest. Unfortunately, Daenyth and bmargulies answers and explanations are what I anticipated/feared since it was impossible for me to google-up a solution prior to submitting this question. I hope that some nice person will someday provide an effective solution for this.
BR,
Christian
Linux doesn't allow for this. Unlike Windows, where any program can launch a dialog box, and UAC is in the kernel, Linux programs aren't necessarily GUI-capable, and sudo is not, in this sense, in the kernel. A program cannot make a call to elevate privilege (unless it was launched with privilege to begin with and intentionally setuid'd down). sudo is a separate executable with setuid privilege, which checks for permission. If it likes what it sees, it forks the shell to execute the command line. This can't be turned inside out.
As suggested in other posts, you may be able to come up with some 'shell game' to arrange to run sudo for you for some enumerated list of commands, but that's all you are going to get.
You can do what you want with a preexec hook function, similar to the command-not-found package.
There's no way to do this given the current linux software stack. Additionally, MS has a patent on this behavior -- present a user interface identifying an account having a right to permit a task in response to the task being prohibited based on a user's current account not having that right.
I don't think this really works in a general way (automatically deciding which application needs admin rights). However you could make aliases like this for every application:
alias alias apt-get='gksudo apt-get'
If you now enter apt-get install firefox the gnome asks for the admin password. You can store the commands in ~./bashrc
You could use a shell script like the following:
#!/bin/bash
$#
if [ $? -ne 0 ]; then
sudo $# # or "gksudo $#"
fi
This will run a command given in the arguments with a sudo prefix if the command came back with a non-zero return code (i.e. if it failed).
Use it as in "SCRIPT_NAME apt-get install emacs" for example. You may save it somewhere in your $PATH and set it as an alias like this (if you saved it as do_sudo):
alias apt-get='do_sudo apt-get'
Edit: That does not work for programs like synaptic which do work for non-root users but will give them less privileges. However, if the application fails when invoked without root privileges (like apt-get does) this works fine.
In the case where you want to always run a command as root but might already be root, you can solve this by wrapping a little bash script around it:
#!/bin/bash
if [ $EUID = 0 ]; then
"$#"
else
gksudo "$#"
fi
If you call this something like alwaysroot.bash and place it in the right spot on your PATH, then you can call your other program like this:
alwaysroot.bash otherprogram -arguments...
It even handles arguments with spaces in correctly.