Running command as another user linux

Run a shell script as another user that has no password

I would like to run a script from the main ubuntu shell as a different user that has no password. I have full sudo privileges, so I tried this:

sudo su -c "Your command right here" -s /bin/sh otheruser 

Then I have to enter my password, but I am not sure if that script is now really running under that user. How can I confirm that the script is really running under that user now?

10 Answers 10

You can do that with su or sudo , no need for both.

sudo -H -u otheruser bash -c 'echo "I am $USER, with uid $UID"' 

The relevant parts of man sudo :

-H The -H (HOME) option requests that the security policy set the HOME environment variable to the home directory of the target user (root by default) as specified by the password database. Depending on the policy, this may be the default behavior. 

(Starting from Ubuntu 19.10, -H is no longer needed as this is now the default behaviour. See: How does sudo handle $HOME differently since 19.10?)

-u user The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a user name, use #uid. When running commands as a uid, many shells require that the '#' be escaped with a backslash ('\'). Security policies may restrict uids to those listed in the password database. The sudoers policy allows uids that are not in the password database as long as the targetpw option is not set. Other security policies may not support this. 

su can only switch user without providing a password if you are root. See Caleb’s answer

You can modify the /etc/pam.d/su file to allow su without password. See this answer.

If you modified your auth file to the following, any user that was part of group somegroup could su to otheruser without a password.

auth sufficient pam_rootok.so auth [success=ignore default=1] pam_succeed_if.so user = otheruser auth sufficient pam_succeed_if.so use_uid user ingroup somegroup 
rubo77@local$ su otheruser -c 'echo "hello from $USER"' hello from otheruser 

Источник

How can I execute a group of commands as another user in Bash?

There are already some existing questions asked here about running commands as another user. However, the question and answers focus on a single command instead of a long group of commands. For example, consider the following script:

#!/bin/bash set -e root_command -p param1 # run as root # these commands must be run as another user command1 -p 'parameter with "quotes" inline' command2 -p 'parameter with "quotes" inline' command3 -p 'parameter with "quotes" inline' 
  • The final three commands must be run as another user using su or sudo . In the example there were three commands, but suppose that there were many more.
  • The commands themselves make use of single and double quotes.
Читайте также:  Formatting partitions in linux

The second point above prevents the use of the following syntax:

. since the commands themselves contain quotes.

What is the proper way to «group» the commands and run them under another user account?

3 Answers 3

here-doc. The next token is the delimiter, and everything up to a line beginning with the delimiter is fed as standard input to the command. Putting the delimiter in single quotes prevents variable substitution within the here-doc.

This will be useful to some: If you need the command to actually run in the user’s full environment, as if they had logged in, which may include different paths, for example. Add they hyphen before ‘somebody’, like so: su — somebody .

Make sure there is no whitespace before closing EOF (eg when calling from indented ‘if’ statement). Error is thrown otherwise — see tldp.org/LDP/abs/html/here-docs.html

@PatrizioBekerle I did it interactively in the terminal, but I just tried it in a script as well, and they both worked.

I’m not that great with Bash-foo, so there is bound to be a more elegant way, but I’ve approached this problem in the past by using multiple scripts and a «driver».

#!/bin/bash set -e su root script1 su somebody script2 
#!/bin/bash set -e root_command -p param1 # Run as root 
#!/bin/bash set -e # These commands must be run as another user command1 -p 'parameter with "quotes" inline' command2 -p 'parameter with "quotes" inline' command3 -p 'parameter with "quotes" inline' 

This script checks if the current user running the script is the desired user. If not, then the script is re-executed with the desired user.

#!/usr/bin/env bash TOKEN_USER_X=TOKEN_USER_X USER_X=peter # other user! SCRIPT_PATH=$(readlink -f "$BASH_SOURCE") if [[ "$@" != "$TOKEN_USER_X" ]]; then ###### RUN THIS PART AS the user who started the script echo "This script is $SCRIPT_PATH" echo -n "Current user: " echo $USER read -p "insert: " echo "got $REPLY" su - $USER_X -c "$SCRIPT_PATH $TOKEN_USER_X" # execute code below after else (marked #TOKEN_USER_X) else #TOKEN_USER_X -- come here only if script received one parameter TOKEN_USER_X ###### RUN THIS PART AS USER peter echo echo "Now this script is $SCRIPT_PATH" echo -n "Current user: " echo $USER read -p "insert: " echo "got $REPLY" exit 0 fi echo echo "Back to initial user. " echo -n "Current user: " echo $USER 

Источник

Читайте также:  Arch linux which kernel

Run script as another user on Linux

One difference between your examplar question and your question is that the other question uses user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh but you omit the = in your version. That might be all that’s wrong; it might be innocent. It’s worth checking.

I made sure it had the equals and still got the same results. The output is owned by wayne so I know its running correct script.

3 Answers 3

The answer is change from su to sudo.

su is primarily for switching users, while sudo is for executing commands as other users. The -u flag lets you specify which user to execute the command as:

sudo -u wayne '/home/wayne/script2.sh' 

gives Sorry user is not allowed to execute

Solution: In order to run commands/scripts as another user on linux/unix you need sudo permission and run the following formula:

For example:

sudo -H -u wayne bash -c 'echo "user:$USER|home:$HOME|action:run_script"; ./home/wayne/script.sh' 

from Documentation:

 sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. -H The -H (HOME) option requests that the security policy set the HOME environment variable to the home directory of the target user (root by default) as specified by the password database. Depending on the policy, this may be the default behavior. -u user The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a user name, use #uid. When running commands as a uid, many shells require that the '#' be escaped with a backslash ('\'). Security policies may restrict uids to those listed in the password database. The sudoers policy allows uids that are not in the password database as long as the targetpw option is not set. Other security policies may not support this. 

Источник

su options — running command as another user

I was wondering how to run a command as another user from a script. I have the script’s owner set as root. I also have the following command being run within the script to run the command as the hudson user:

For other googlers: some users might have this ability disabled on purpose. You can run sudo cat /etc/passwd | grep user-abc . If you see something like this: user-abc:x:994:994::/home/user-abc:/bin/false then it won’t work. That’s because the last part » /bin/false » means that there is no shell for that user.

Читайте также:  Показать содержимое директории linux

2 Answers 2

$ su --help Usage: su [options] [LOGIN] Options: -c, --command COMMAND pass COMMAND to the invoked shell -h, --help display this help message and exit -, -l, --login make the shell a login shell -m, -p, --preserve-environment do not reset environment variables, and keep the same shell -s, --shell SHELL use SHELL instead of the default in passwd 

And some testing (I used sudo as I don’t know the password for the nobody account)

$ sudo su -c whoami nobody [sudo] password for oli: nobody 

When your command takes arguments you need to quote it. If you don’t, strange things will occur. Here I am —as root— trying to create a directory in /home/oli (as oli) without quoting the full command:

# su -c mkdir /home/oli/java oli No passwd entry for user '/home/oli/java' 

It’s only read mkdir as the value for the -c flag and it’s trying to use /home/oli/java as the username. If we quote it, it just works:

# su -c "mkdir /home/oli/java" oli # stat /home/oli/java File: ‘/home/oli/java’ Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 811h/2065d Inode: 5817025 Links: 2 Access: (0775/drwxrwxr-x) Uid: ( 1000/ oli) Gid: ( 1000/ oli) Access: 2016-02-16 10:49:15.467375905 +0000 Modify: 2016-02-16 10:49:15.467375905 +0000 Change: 2016-02-16 10:49:15.467375905 +0000 Birth: - 

Источник

How to run a command as a specific user in an init script?

I’m writing an init script which is supposed to execute a single command as a user different than root. This is how I’m doing it currently:
sudo -u username command This generally works as expected on Ubuntu/Debian, but on RHEL the script which is executed as the command hangs.
Is there another way to run the command as another user?
(Note that I can’t use lsb init functions as they’re not available on RHEL/Centos 5.x.)

Notice that this question is about something set up exclusively by the administrator (typically, a daemon that runs as some user for security). A slightly different case is users setting up on their own commands to run at boot, with their user crontab. See askubuntu.com/questions/260845/…

6 Answers 6

On RHEL systems, the /etc/rc.d/init.d/functions script is intended to provide similar to what you want. If you source that at the top of your init script, all of it’s functions become available.

The specific function provided to help with this is daemon . If you are intending to use it to start a daemon-like program, a simple usage would be:

daemon --user=username command 

If that is too heavy-handed for what you need, there is runuser (see man runuser for full info; some versions may need -u prior to the username):

/sbin/runuser username -s /bin/bash -c "command(s) to run as user username" 

Источник

Оцените статью
Adblock
detector