Can someone explain the difference between su -p (--preserve-environment) and su - when switching user at the command-line?
I'm familiar with "su -" but it's unclear to me how su -p differs, if at all.
The difference is that with su -p you can preserve all the personalization you did with your original user. For example, you preserve your alias, your bashrc, profile ...
In simple words:
- using "su" you get SuperUser's rights **and** environment
- using "su -p" you get only SuperUser's rights (the environment stays your own)
As you can see in the su manpage it says "do not reset environment variables".
Unix shells allow you to store values in variables. It even uses this itself (i.e. the PATH variable saves the location of executables). If you use -p you keep your environment variables, instead of getting the ones from the new user.
(However they might still be overwritten by whatever shell initation scripts that user has..)
Related
I am adding below command in sudoers file, but it is giving me syntax error not allowing "foo=bar" before command.
user ALL=(runas) SETENV:NOPASSWD:foo=bar /path/to/command /path/to/script
If I add using /bin/bash prefix this worked
user ALL=(runas) SETENV:NOPASSWD:/bin/bash -c "foo=bar /path/to/command /path/to/script"
but when I run sudo from user it asks me for a password.
Can someone please let me know How should this work?
Your command list must be a file in your filesystem indicated its full path. I´m not quite sure what your foo=bar "command" should even mean. If that is a variable being set, aren´t you lacking a semicolon (foo=bar;)? But anyways, sudo is not about setting variables either way, it´s about running commands. You should just get rid of foo=bar altogether and keep
user ALL=(runas) SETENV:NOPASSWD: /path/to/command /path/to/script
You wouldn´t use sudo to stop a user from setting a variable (if that is what you even meant in the first place).
from manpages:
A Cmnd_List is a list of one or more command names, directories, and
other aliases. A command name is a fully qualified file name which
may include shell-style wildcards (see the Wildcards section below).
Hello I would like to understand the differences w.r.t env that gets setup using sudo su - vs just a sudo su.
User already a part of sudoers
Not able use few kerberos commands when I use just sudo su.
A look in the manual page for the su command showed the following:
-, -l, --login
Start the shell as a login shell with an environment similar
to a real login:
o clears all the environment variables except TERM
o initializes the environment variables HOME, SHELL,
USER, LOGNAME, and PATH
o changes to the target user's home directory
o sets argv[0] of the shell to '-' in order to make
the shell a login shell
So, if you use sudo su - the above mentioned variables are erased and filled with information according to your new user (root or another).
Maybe some needed environmental variables are set for your root user?
Unfortunately, I haven't worked with kerberos yet.
Hope I helped you a bit.
I would like my root-requiring bash script to be run from IntelliJ/WebStorm, asking me for the root password when I run it. Having my root password hardcoded in the script is a bad idea of course.
IntelliJ/WebStorm actually has a $Prompt$ macro for reasons like this, which prompts you and uses your input as a value.
So I tried using $Prompt$ along with echo YOURPASSWORD | sudo -S yourcommand as described in use-sudo-with-password-as-parameter.
Then I pass passwd & script to run to a sudorun.sh script echo -e $1 | sudo -S $2 $3 $4 (since echo can't be be the 'program' line) which although works on the CLI, it fails to read echo-stdin on the IntelliJ console.
Ideally, I would like the solution to be configured solely from within IntelliJ and not require specific OS configuration changes outside of IntelliJ.
Perhaps there are other ways to deal with this, so lets improvise!
I, too, faced the same issue, but I work with sensitive data on my development machine and removing the password requirement for sudoers just isn't an option.
I was able to resolve this issue by launching the actual WebStorm application from the command line using the sudo command as follows:
sudo /Applications/WebStorm.app/Contents/MacOS/webide
Once WebStorm/PhpStorm are launched this way, you can run a script with root access without supplying root credentials.
Use the NOPASSWD feature of sudo. Add a rule like so to sudoers (via visudo or similar):
someuser ALL = NOPASSWD: /usr/bin/interesting_program
%somegroup ALL = NOPASSWD: /usr/bin/interesting_program
I find myself automating a lot of my workflow, and running into the same issue. I don't want to punch a hole in my sudoer permissions, and I don't want to run my IDE as root either. A good solution that I've found is gksudo, on Ubuntu and many other Linux variants you'll find it installed by default. What gksudo does is it allows you to prompt the user(yourself) to input your password with a graphic overlay, much like Ubuntu/KDE/etc. do when you need to be root to perform an operation such as an update.
This will then prompt you to provide your password to escalate privilege, then execute a given command/program as root.
In the Edit Tool Window simply:
Set the Program to /usr/bin/gksudo
gksudo may be located at a different path, try: whereis gksudo to find its path
Set Parameters to all commands you want to execute in quotes
Ex. "mongod --fork --config /etc/mongodb.conf; service elasticsearch start"
Make sure you have the quotes!
Set a working directory(if needed)
I'm writing a bash script that requires root access and so what I need to do is write something like
$my_psswd >> sudo some_command parameter1 parameter2
to automate the process. I'm not concerned if this opens up security holes. This is more or less of an example that I can think of. But the problem is that when I initiate sudo anything, it asks for user input which I'm not sure how automate or provide as a variable.
I've tried things like
$my_psswd >1 sudo something
echo $my_psswd | sudo something
but none of this is what I want. Also this has to be a bash script, I can't use a program like expect. Thanks.
You need -S switch for sudo command:
-S The -S (stdin) option causes sudo to read the password from the standard input instead of the terminal device. The password must be followed by a newline character
I recommend against doing this at all. You will be storing your password in plain text which means other people may have access to it. Or it will be visible in process listings, again available to other users.
There are a couple of alternatives to prevent this:
Run the entire script using sudo. Do not use sudo in the script itself but run the entire things with elevated privileges. The downside is off course that your might be executing things with elevated privileges that do not require it but with no more background that's impossible to say.
Better would be to configure your account to execute those specific commands through sudo without providing a password. That way you can execute only the commands that need it with elevated prvileges without the problem of providing a password.
A workaround could be to run sudo -l before calling the script. That way sudo will have an active session and won't prompt for a password. This is only a workaround and would fail if one of the commands takes longer to execute than the configured grace time for sudo. But in small scripts this might be an easy fix.
Try echo $PW | sudo -S cmd
It may work for you.
you are not suppose to use sudo this way, use visudo to specify what commands are allowed to what users, then you don't need to worry about passwords.
I'm sure this question has been answered before, but I can't find an answer that I like. I would like to write a shell script that executes a very specific script as another user (I want anyone to be able to start postgres as the postgres user). The script will have 710 perms so it will be executable by a certain group but not readable or writable by that group.
Now, I'm pretty sure there's no way to use 'su' without an interactive password prompt. There are lots of good reasons for that and I don't need to be convinced of the merit of those reasons (I'm told that someone savvier than me could grab the password off the processes list which is bad).
Question is, more generally how would I accomplish what I want to do without abusing unix security paradigms? Is there a way to allow user to execute a very specific process as another user?
This sort of situation is exactly what sudo was designed for.
You can create an executable (not a shell script) that launches the script that should run as the postgres user. Change the owner of the executable to the postgres user, and set the setuid bit.
See Best practice to run Linux service as a different user to address Celada's concern.
Well, you could use a simple script to access programmatically to an user using sudo and then execute all code you want.
Here is a simple script:
if [ "$#" -ne 2 ]; then
echo "Usage: "
echo " suprompt <user> <password>"
else
echo $2 | sudo -sS su $1
sudo su $1
fi
This script uses two arguments. The first one is the user you want to be, and the second arg is the password.
It works automatically.
You can change the final statement and do: sudo su $1 -c <command>
I hope this will work for you.