Execute Script as another user whilst not being root

Question

Situation:

I'd like to execute a shellscript directly from a web-gui. The shellscript belongs to the user "tux". Since my webserver is running as apache, I can't execute tux's shellscript. OS: CENTOS

What I've tried:

su -c "/opt/tomcat/bin/shutdown.sh" -s /bin/sh tux

I tried different ways, the mentioned one is how it worked when i was logged in as root user.

Question:

Is there a way to do the same while not being root? Something like a command where I can pass the user AND its password to execute the script.

I can't just change the ownership of the script because it's depending on tux's profile (other files, directories).

Thanks very very much in advance for your help!

Answer 1

Try this:

echo "$pass" | sudo -S -u $user script

$pass is you password, $user is the user who wants to run the script. (This user must have permission to run the script.)

If your user doesn't have permission, then try running as group:

echo "$pass" | sudo -S -g $group script

This group must have permission to run the script.

Note: Passing password like this isn't a good idea.

If your user can't use sudo:

If your user can't use sudo then you can't run the script by switching users with sudo. You should consider executing the script with this non-sudo user account. And for that, this user must have permission to execute the script.

One way to do that is to change permission of the script to 755 (from sudo user):

Then you can execute the script by entering the path in terminal. (if your script depends on relative path, make sure to cd to the parent directory of the script before running it)

Note: This will permit any user to execute the script (without any authentication)

Another way is to add the non-sudo user into a group which has permission to execute the script:

In this case, permissions like:

chmod ug+rwx,o-x+r script
#read write xecute permission to user and group and readonly to others

and

chmod u+rwx,g+rx,o-x+r
#read write xecute to user and rx to group and readonly to others 

and so on where group have the right to execute the file will do the trick. It's more secure than using a 755 permission.

The steps to go through with this process:

1.Log in to the user account which has sudo privillege.

2.Change permission of the script as only user and group will be permitted to execute the script.

Example:

chmod u+rwx,g+rx,o-x path/to/the/script

3.Add the non-sudo user to the current user group:

sudo usermod -g $USER non_sudo_user_name
#you don't need to edit $USER, only non_sudo_user_name

4.Do a new login in the non sudo user account.

Now you can execute the script by running:

/path/to/the/script

Note: If your script depends on relative path, then you might need to cd to the parent directory of the script before running it.

Answer 2

You can add your user tux to /etc/sudoers with NOPASSWD to allow it to run sudo without password prompt.

E.g. add this to the end of /etc/sudoers to allow elevated execution of any command without password (note, there's a special tool for that - visudo):

tux    ALL=(ALL) NOPASSWD:  ALL

Or, a more restricted way - only allow this for your script:

tux    ALL = NOPASSWD: /opt/tomcat/bin/shutdown.sh

After that check that the changes are in effect by running any command from terminal, e.g.:

sudo id

and it should not prompt for root password.

UPDATE:

To make Apache run a script that belongs to another user (e.g. tux) add this line to sudoers:

www-data ALL=(ALL) NOPASSWD: /bin/bash /opt/tomcat/bin/shutdown.sh

Then you should be able to run it without password like so:

sudo -u tux /opt/tomcat/bin/shutdown.sh

Also, check these:

• How to call shell script from php that requires SUDO?
• sudo in php exec()
• https://serverfault.com/questions/157272/allow-apache-to-run-a-command-as-a-different-user