Is there any way to run a script such that it executes as another user than the person running it?
Normally (well, old-fashionedly) one would have set the SUID bit in the permissions, made the script owned by the desired user and that would be it but nowadays it no longer works because SUID on scripts is disabled.
Is there any reasonably simple way to work round this? All I have found searching so far is to write a short C program to do the SUID change and use that to execute the script. I could do this I suppose but I'd really prefer an easier way to do it as the C program method needs to know both the desired UID and the name of the program to run so, while hardly complex, it will need command line parameters etc.
On 19/06/12 22:46, Chris Green wrote:
Is there any way to run a script such that it executes as another user than the person running it?
If you're using the debian/ubuntu/mint flavour of linux, then you can use sudo
use visudo to edit the sudoers file (*)(+) then put in an entry like
desired_user_name ALL = NOPASSWD: /path/to/your/script
NOPASSWD is optional - if it's there, you won't be prompted to enter the password for that user when that script runs. I don't recall what the ALL means.
try man sudoers or man visudo for help, or google it.
Alternatively, you can swicth user with su or sudo. Does that help - can you put it in your script?
HTH Steve
* - don't edit the file directly as there be dragons! + - I think it uses vi editing commands unless you tell it otherwise - check first unless you speak vi!
On Tue, Jun 19, 2012 at 11:42:18PM +0100, steve-ALUG@hst.me.uk wrote:
On 19/06/12 22:46, Chris Green wrote:
Is there any way to run a script such that it executes as another user than the person running it?
If you're using the debian/ubuntu/mint flavour of linux, then you can use sudo
use visudo to edit the sudoers file (*)(+) then put in an entry like
desired_user_name ALL = NOPASSWD: /path/to/your/script
NOPASSWD is optional - if it's there, you won't be prompted to enter the password for that user when that script runs. I don't recall what the ALL means.
try man sudoers or man visudo for help, or google it.
I think the ALL means all machines, alternatively one can put a machine/host name there.
I don't think the above is quite right either, it needs to be:-
user ALL = (user_wanted) NOPASSWD: /path/to/your/script
... but /etc/sudoers is somewhat arcane!
I don't seem to be able to get the NOPASSWD parameter to work, it keeps asking me for the password. In fact it's not working at all, I have:-
steve ALL = (chris) NOPASSWD: /home/chris/bin/nnnn
but if I do 'sudo -u chris /home/chris/bin/nnnn' when logged in as steve I get asked for steve's password and then get the error:-
steve is not allowed to run sudo on chris. This incident will be reported.
So I haven't got it right still!
Can anyone set me right? I just want steve (well, actually another user) to be able to execute a specific command as chris without having to enter a password.
On Wed, Jun 20, 2012 at 10:54:50AM +0100, Chris Green wrote:
On Tue, Jun 19, 2012 at 11:42:18PM +0100, steve-ALUG@hst.me.uk wrote:
On 19/06/12 22:46, Chris Green wrote:
Is there any way to run a script such that it executes as another user than the person running it?
If you're using the debian/ubuntu/mint flavour of linux, then you can use sudo
use visudo to edit the sudoers file (*)(+) then put in an entry like
desired_user_name ALL = NOPASSWD: /path/to/your/script
NOPASSWD is optional - if it's there, you won't be prompted to enter the password for that user when that script runs. I don't recall what the ALL means.
try man sudoers or man visudo for help, or google it.
I think the ALL means all machines, alternatively one can put a machine/host name there.
I don't think the above is quite right either, it needs to be:-
user ALL = (user_wanted) NOPASSWD: /path/to/your/script... but /etc/sudoers is somewhat arcane!
I don't seem to be able to get the NOPASSWD parameter to work, it keeps asking me for the password. In fact it's not working at all, I have:-
steve ALL = (chris) NOPASSWD: /home/chris/bin/nnnnbut if I do 'sudo -u chris /home/chris/bin/nnnn' when logged in as steve I get asked for steve's password and then get the error:-
steve is not allowed to run sudo on chris. This incident will be reported.So I haven't got it right still!
Can anyone set me right? I just want steve (well, actually another user) to be able to execute a specific command as chris without having to enter a password.
Got it! You can't have any spaces around the = sign! It has to be:-
steve ALL=(chris) NOPASSWD: /home/chris/bin/nnnn
Gggggrrrrrr!!!!! Why doesn't *any* of the documentation point out this rather fundamental requirement? Yes, I know it's like assignments in shell scripts but I think that's about the only other place where spaces aren't allowed around = signs.
-
Chris Green -
steve-ALUG@hst.me.uk