I am having a cent-OS server with 5 accounts: developer, user1 ,user2 ,user3 and user4. All the user home directories are under /home like /home/developer, /home/user1, /home/user2, /home/user3 and /home/user4. I want to create a 4 scripts: user1.sh, user2.sh, user3.sh and user4.sh inside the /home/developer folder. When the user developer run the script user1.sh, he switches to the user1 and cd to the home directory of user1 (/home/user1) and so on for the remaining scripts. The idea behind is to keep the developer from the root access and allow switch to other user's home directory by simple executing a command with that user's name. Is it possible?
I suppose you're looking at su - otherUser
Of course, you'll have to provide the password of the other user.
I suppose that something like sudo su - otherUser could work but I haven't tried
Related
As a web developer I always have the problem when updating PHP (and other) files from an SSH client, because I am logged in as a user or simply root.
After that update I always have to run manually from a terminal 'chown -R apache:apache *' to make the files accessible.
I tried to make a user ID and add it to the group 'apache' and add the apache user to the group of my user id. That works only for existing files on the server file system, because newly created files have permissions rwxr--r-- which does not allow writing by my user even as it is in the 'apache' group.
I'd like to make a login (shell is not needed) for the Apache user, so I can use an SSH based file browser like Forklift to login as Apache or use sshfs to mount as Apache user.
Another way is make umask that my user id always sets attributes of newly created files from sshfs mount or a file browser (mounted with my user id, not root) that they have permission rwxrwxr-- (i.e. 0775) by default.
Is there a way I can upload files to the server (updating existing op create new ones) without having to worry about permissions by Apache ?
You have to set the setgid
For example, do the following steps:
adduser hugo
addgroup apache
usermod -a -G apache hugo
mkdir /tmp/example
chown hugo:apache /tmp/example
chmod g+s /tmp/example
su hugo
cd /tmp/example
touch my_file
ls -l
We are using sudo users with limited commands to execute and assigned default home directory /home/sudouser but if that particular sudo user is running command cd \ its changing the directory to the main root directory /. This behaviour is totally insecure for us.
We need it such that if the sudo user is entering cd / or cd it changes directory to their home directory /home/sudouser
Please let us know how we can implement this?
Don't ever try to restrict a sudo user to only a directory or a command, a sudo user can by definition do what he wants.
In your case, having a script that assigns the home directory is I think a better idea. To solve the trouble of permissions look for the suid bit in permissions: http://www.linuxnix.com/suid-set-suid-linuxunix/
For example: create a sh file that has the following permissions: "-rwsr--r--" that is owned by root and as a group that can be accessed by the user whom you want to use the script.
Then in the file you create a simple script to execute the command to change default directory with let's say two parameters (username and directory)
I have been trying to automate a process of rsyncing many user directories from one host to another. I have set up an SSH key pair so that the user can go straight from server A to server B without a password prompt. The problem is that when I run the command as root, instead of it cycling through each user account and syncing only the data in that specific user directory it performs a sync from the root level directory of all of the users thus creating the root directory structure and all of the child directories inside each user directory!
The command I am running is:
(As root):
#!/bin/bash
for user in $(</root/scripts/users.txt)
do
su - $user -c "chmod 600 .ssh/*;rsync -avvh --stats --delete --exclude ".*/" --exclude=".*" . remotehost:."
done
If I run the command as root on the command line (i.e. su to the username and then perform the commands inside the quotes it works fine. If I run the command as root and change the command inside the quotes to just ask for the path it should be it shows that users home directory so I am lost as to why this is not just changing to that specific user, syncing the data in that users home directory with the remote host and then moving on to the next user.
Help!?!
I work on a shared linux enviroment (CentOS), but for some reason one of my logins has been locked.
When I do a cat /etc/passwd | grep "/home", I can find my user:
roaming:x:579:579::/home/roaming:/bin/nologin
I've got root permission but don't know what to do to be able to login again.
What should I do about this 'no login' thing??
The shell for this user is set to a non-existent program in order to prevent user from logging in with interactive shell (ssh, local login). Yet the user can authenticate to do some other stuff like copying files through FTP or SMB.
Just run as a root to put a normal shell back.
chsh roaming /bin/bash
As root, enter
chsh -s /bin/sh roaming
I am trying to create a Linux terminal menu by way of a simple script. Within the script it will have some commands that will submit a job (a shell script for example) as another user without password prompt.
I was able to find the following post and this worked. how to run script as another user without password
However, there was one side affect. It appears the user can run other scripts in that users folder which I don't want.
Any suggestions/help welcome.
For the sake of this. Here is what I have:
Username temp1, which is the user that will be running the menu.
uid=1001(temp1), gid=1001(temp1), groups=1001(temp1)
Username wayne, which is the user that the script must be submitted as to run the job
uid=1000(wayne), gid=1000(wayne),groups=1000(wayne),4(adm),24(cdrom),27(sudo),30(dip)...
Script script1.sh, script2.sh owned by wayne.
-rwxr-xr-x script1.sh
-rwxr-xr-x script2.sh
If I try to go to /home/wayne as temp1 user I get permission denied (expected)
I set the scripts to chmod 700 for wayne. So technically no one can run them other than wayne.
I have edited sudo file and have the following entry:
temp1 ALL(wayne) NOPASSWD: /home/wayne/script1.sh
When I run command su -c "/home/wayne/script1.sh" -s /bin/sh wayne the script runs (as expected)
When I run command su -c "/home/wayne/script2.sh" -s /bin/sh wayne the script runs (not expected).
Any ideas?
The answer is change from su to sudo.
su is primarily for switching users, while sudo is for executing commands as other users. The -u flag lets you specify which user to execute the command as:
sudo -u wayne '/home/wayne/script2.sh'
gives Sorry user is not allowed to execute
Solution: In order to run commands/scripts as another user on linux/unix you need sudo permission and run the following formula:
sudo -H -u <user> bash -c '<some-command>'
For example:
sudo -H -u wayne bash -c 'echo "user:$USER|home:$HOME|action:run_script"; ./home/wayne/script.sh'
from Documentation:
sudo allows a permitted user to execute a command as the superuser or
another user, as specified by the security policy.
-H The -H (HOME) option requests that the security policy set
the HOME environment variable to the home directory of the
target user (root by default) as specified by the password
database. Depending on the policy, this may be the default
behavior.
-u user The -u (user) option causes sudo to run the specified
command as a user other than root. To specify a uid
instead of a user name, use #uid. When running commands as
a uid, many shells require that the '#' be escaped with a
backslash ('\'). Security policies may restrict uids to
those listed in the password database. The sudoers policy
allows uids that are not in the password database as long
as the targetpw option is not set. Other security policies
may not support this.