7

I am trying to write a script that will run the following commands:

sudo su
runmqsc_result=`su -c "runmqsc QMGR < /home/rob/query_queue.txt" -m "mqm"`

My issue however, is that these commands are run as part of a shell script, by user that is in the sudoers file. However, obviously sudo su asks for the password of the user running it.

What I need to do is to pass the password to sudo su so that the script will run automatically. How can I do this?

p.s: I can't change the permissions for running "runmqsc"...it HAS to be run as user mqm which needs to be switched to from the root user.

n.st
  • 946
  • 12
  • 27
RobM
  • 303
  • 1
  • 4
  • 14
  • Just configure `sudo` to allow executing `runmqsc` (possibly with the specific arguments) as user `mqm` without password—that's the primary purpose of `sudo`. The `su` is of course superfluous here; `sudo` already does its job. – Jan Hudec Dec 22 '20 at 09:13

2 Answers2

15

From man sudo:

-S    The -S (stdin) option causes sudo to read the password from the standard
      input instead of the terminal device.  The password must be followed by a
      newline character.

So, while it defies all security principles, echo 'password' | sudo -S su [...] should work.

Alternatively, you could make your script writeable only by root and add the following to /etc/sudoers to allow the user johndoe to run it with root priviledges without having to enter his password:

johndoe ALL = NOPASSWD: /full/path/to/your/script

The part writeable only by root is important to prevent johndoe from modifying the script and executing arbitrary commands as root.

n.st
  • 946
  • 12
  • 27
  • 1
    Defying all security principles I did this in Busybox: `echo password | su -c reboot` – Herr von Wurst May 15 '14 at 08:29
  • 1
    I believe the question was about passing to `su`, though; in my case, the machine in question does not and will never have `sudo` on it, so this solution is pretty much dead for su alone. – kevr Jul 29 '17 at 01:07
1

This solution work by using 'script' command from the 'bsdutiles' package that setup a pty (a terminal). The 'sleep' command is there to prevent sending the password before the 'su' command is ready to read it. The 'tail' command remove the "Password:" input line issued by 'su'.

 { sleep 1; echo rootpassword } | script -qc 'su -c "runmqsc QMGR < /home/rob/query_queue.txt" -m "mqm"' /dev/null | tail -n +2

Beware that the rootpassword could be see in many ways (history, ps, /proc/, etc...). Start the command with a space to at least avoid history recording.

jcamdr
  • 316
  • 3
  • 5