2

I am trying to create a Linux terminal menu by way of a simple script. Within the script it will have some commands that will submit a job (a shell script for example) as another user without password prompt.

I was able to find the following post and this worked. how to run script as another user without password However, there was one side affect. It appears the user can run other scripts in that users folder which I don't want.

Any suggestions/help welcome.

For the sake of this. Here is what I have:

  1. Username temp1, which is the user that will be running the menu. uid=1001(temp1), gid=1001(temp1), groups=1001(temp1)

  2. Username wayne, which is the user that the script must be submitted as to run the job uid=1000(wayne), gid=1000(wayne),groups=1000(wayne),4(adm),24(cdrom),27(sudo),30(dip)...

  3. Script script1.sh, script2.sh owned by wayne. 

    -rwxr-xr-x script1.sh
-rwxr-xr-x script2.sh

  4. If I try to go to /home/wayne as temp1 user I get permission denied (expected)

  5. I set the scripts to chmod 700 for wayne. So technically no one can run them other than wayne.

  6. I have edited sudo file and have the following entry:

    temp1 ALL(wayne) NOPASSWD: /home/wayne/script1.sh

  7. When I run command su -c "/home/wayne/script1.sh" -s /bin/sh wayne the script runs (as expected)

  8. When I run command su -c "/home/wayne/script2.sh" -s /bin/sh wayne the script runs (not expected).

Any ideas?

Community
  • 1
  • 1
Xathras
  • 210
  • 1
  • 5
  • 15
  • One difference between your examplar question and your question is that the other question uses `user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh` but you omit the `=` in your version. That might be all that's wrong; it might be innocent. It's worth checking. – Jonathan Leffler Nov 22 '14 at 18:24
  • I made sure it had the equals and still got the same results. The output is owned by wayne so I know its running correct script. – Xathras Nov 22 '14 at 23:49

3 Answers3

7

The answer is change from su to sudo.

su is primarily for switching users, while sudo is for executing commands as other users. The -u flag lets you specify which user to execute the command as:

sudo -u wayne '/home/wayne/script2.sh'

gives Sorry user is not allowed to execute

Potherca
  • 13,207
  • 5
  • 76
  • 94
Xathras
  • 210
  • 1
  • 5
  • 15
0

Solution: In order to run commands/scripts as another user on linux/unix you need sudo permission and run the following formula:

sudo -H -u <user> bash -c '<some-command>'

For example:

sudo -H -u wayne bash -c 'echo "user:$USER|home:$HOME|action:run_script"; ./home/wayne/script.sh'

from Documentation:

 sudo allows a permitted user to execute a command as the superuser or
 another user, as specified by the security policy.
 
-H   The -H (HOME) option requests that the security policy set
     the HOME environment variable to the home directory of the
     target user (root by default) as specified by the password
     database.  Depending on the policy, this may be the default
     behavior.


-u    user The -u (user) option causes sudo to run the specified
      command as a user other than root.  To specify a uid
      instead of a user name, use #uid.  When running commands as
      a uid, many shells require that the '#' be escaped with a
      backslash ('\').  Security policies may restrict uids to
      those listed in the password database.  The sudoers policy
      allows uids that are not in the password database as long
      as the targetpw option is not set.  Other security policies
      may not support this.
avivamg
  • 12,197
  • 3
  • 67
  • 61
0

don't overlook "runuser". I found this to be just the thing I needed with python scripts run from /etc/cron.hourly

grant
  • 1
  • 1
  • `runuser` is only available for `root`. Not only this does not answer the question, but suggesting this - using `root` as a way to run a script as another user - is a very bad idea. – Bruno Apr 24 '23 at 15:42