Starting a script as another user
I’ve created a script in /etc/init.d/ which has to run several other scripts from other (non-root privileged) users from their home directories, as if they started them. I launch these scripts with: sudo -b -u And it works. But for every user script that continues running(for example some watchdog) I see a corresponding parent sudo process, still alive and running as root. This creates a mess in the active processes list. So my question is: How can I launch(fork) another script from existing bash script as another user and leave it as an orphaned(stand alone) process? More detailed explanation:
I’m basically trying to provide to other users on the machine a mean to run stuff upon system start or system shutdown by running executable files found in respective subdirectories found in their home directory, named .startUp and .shutDown. Since I did not find any other means to do that I wrote my bash script that does exactly that and I’ve configured it as a service script (by following the skeleton example) in /etc/init.d/ so when it is run with start argument it launches everything from .startUp directories and when it is run with stop argument it launches everything from .shutDown directories of all users as them. Alternatively I’m also interested if I could have used some existing solution to solve this problem. UPDATE
I’ve looked around a bit and I found this question: https://unix.stackexchange.com/questions/22478/detach-a-daemon-using-sudo Accepted answer there, to use: sudo -u user sh -c «daemon & disown %1» , works for me to. But I also tried without disown %1 and it is the same. So this is what works for me as I expected:
My additional question now is, why is it working without disown? should I still leave the disown call, regardless, for some potential special case? UPDATE 2 Apparently this works too:
Is there any difference between this call and the sudo call? I know this is potentially an entire different question. But since I’m finding the answers here myself maybe for the sake of this topic someone could clarify this here. UPDATE 3
Both of these methods with either su or sudo now produce a new startpar process (single process that runs as root) after I boot the machine. Visible in process list as:
Why is this process spawned? Obviously I’m doing something wrong since no other init.d script has this process running. UPDATE 4
The issue with startpar is resolved. I’ve started another question for that:
startpar process left hanging when starting processes from rc.local or init.d And another question to further discuss launching mechanisms for non privileged users:
Providing normal users(non-root) with initialization and shutdown auto-run capabilities
How to run a command as a specific user in an init script?
I’m writing an init script which is supposed to execute a single command as a user different than root. This is how I’m doing it currently:
sudo -u username command This generally works as expected on Ubuntu/Debian, but on RHEL the script which is executed as the command hangs.
Is there another way to run the command as another user?
(Note that I can’t use lsb init functions as they’re not available on RHEL/Centos 5.x.)
Notice that this question is about something set up exclusively by the administrator (typically, a daemon that runs as some user for security). A slightly different case is users setting up on their own commands to run at boot, with their user crontab. See askubuntu.com/questions/260845/…
6 Answers 6
On RHEL systems, the /etc/rc.d/init.d/functions script is intended to provide similar to what you want. If you source that at the top of your init script, all of it’s functions become available.
The specific function provided to help with this is daemon . If you are intending to use it to start a daemon-like program, a simple usage would be:
daemon --user=username command If that is too heavy-handed for what you need, there is runuser (see man runuser for full info; some versions may need -u prior to the username):
/sbin/runuser username -s /bin/bash -c "command(s) to run as user username" How can I run as another user?
This is the bash code that should be runned. So first it substitutes the user to openproject and than runs all the code:
su openproject -c "bash -l" cd ~/openproject git checkout Gemfile.lock git pull bundle install RAILS_ENV="production" bundle exec rake db:migrate RAILS_ENV="production" bundle exec rake db:seed RAILS_ENV="production" bundle exec rake assets:precompile su - openproject -c "cd ~openproject/openproject" su - openproject -c "git checkout stable" su - openproject -c "git checkout Gemfile.lock" su - openproject -c "git pull" su - openproject -c "bundle install" su - openproject -c "RAILS_ENV="production" bundle exec rake db:migrate" su - openproject -c "RAILS_ENV="production" bundle exec rake db:seed" su - openproject -c "RAILS_ENV="production" bundle exec rake assets:precompile" but this does not run properly and at every steps asks for password. How can the translated script be improved so it works? UPDATE 1: After receiving sugestions about this I am the point where the code has been modified into:
cd ~openproject/openproject sudo -u openproject git checkout stable sudo -u openproject git checkout Gemfile.lock sudo -u openproject git pull # the output is good thill here sudo -u openproject bundle install sudo -u openproject RAILS_ENV="production" bundle exec rake db:migrate sudo -u openproject RAILS_ENV="production" bundle exec rake db:seed sudo -u openproject RAILS_ENV="production" bundle exec rake assets:precompile UPDATE 2: After trying the suggestion from Dmitry Vasilyanov I found that if i insert the -i it will simulate as user login. However this is not the final way to do it. If I run echo $PATH after logging in as openproject the ouput is /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home/openproject/.rvm/bin If I run echo $PATH after su openproject -c «bash -l» the output is /home/openproject/.rvm/gems/ruby-2.1.0/bin:/home/openproject/.rvm/gems/ruby-2.1.0@global/bin:/home/openproject/.rvm/rubies/ruby-2.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/home/openproject/.rvm/bin
Run a shell script as another user that has no password
I would like to run a script from the main ubuntu shell as a different user that has no password. I have full sudo privileges, so I tried this:
sudo su -c "Your command right here" -s /bin/sh otheruser Then I have to enter my password, but I am not sure if that script is now really running under that user. How can I confirm that the script is really running under that user now?
10 Answers 10
You can do that with su or sudo , no need for both.
sudo -H -u otheruser bash -c 'echo "I am $USER, with uid $UID"' The relevant parts of man sudo :
-H The -H (HOME) option requests that the security policy set the HOME environment variable to the home directory of the target user (root by default) as specified by the password database. Depending on the policy, this may be the default behavior. (Starting from Ubuntu 19.10, -H is no longer needed as this is now the default behaviour. See: How does sudo handle $HOME differently since 19.10?)
-u user The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a user name, use #uid. When running commands as a uid, many shells require that the '#' be escaped with a backslash ('\'). Security policies may restrict uids to those listed in the password database. The sudoers policy allows uids that are not in the password database as long as the targetpw option is not set. Other security policies may not support this. su can only switch user without providing a password if you are root. See Caleb’s answer
You can modify the /etc/pam.d/su file to allow su without password. See this answer.
If you modified your auth file to the following, any user that was part of group somegroup could su to otheruser without a password.
auth sufficient pam_rootok.so auth [success=ignore default=1] pam_succeed_if.so user = otheruser auth sufficient pam_succeed_if.so use_uid user ingroup somegroup rubo77@local$ su otheruser -c 'echo "hello from $USER"' hello from otheruser