152

I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.

I would like the following command to run:

su user2 -C script.sh

but be able to run without password.

I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.

I've tried doing this with sudoers file and just got endlessly confused after hours of trying.

If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.

jww
  • 97,681
  • 90
  • 411
  • 885
user788171
  • 16,753
  • 40
  • 98
  • 125
  • 16
    I don't particularly with the close. This is a question about how to program the system in a particular way; as such, it is about shell programming and is within scope of SO which is for questions about programming. It is clear that a number of people do not see this as so off-topic that it should be down-voted; the question and the answers all have a considerable number of up-votes. – Jonathan Leffler Nov 22 '14 at 18:26

3 Answers3

196

try running:

su -c "Your command right here" -s /bin/sh username

This will run the command as username given that you have permissions to sudo as that user.

Florent
  • 12,310
  • 10
  • 49
  • 58
Jeronimo Robles
  • 1,985
  • 1
  • 11
  • 2
  • 17
    It worked as normal user with full sudo rights like this: `sudo su -c "Your command right here" -s /bin/sh otheruser` – rubo77 May 13 '13 at 11:00
  • 5
    Just a note for any mac users, apparently the syntax is a bit different: `su username -c "command"`. – NHDaly Dec 26 '13 at 05:45
  • 1
    If your trying to start `screen` as another user then this might be helpfull - http://www.linuxquestions.org/questions/linux-software-2/running-screen-command-for-different-users-at-startup-401990/#post2041890 – Mint Jan 06 '15 at 21:21
  • 3
    if `username` (or in the question, `user2`) has a password itself, this will not allow to skip the prompt for it. the other answer does: no password needed, both user1 and user2. – phil294 Mar 02 '18 at 19:32
129

Call visudo and add this:

user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh

The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.

Mifeet
  • 12,949
  • 5
  • 60
  • 108
pyroscope
  • 4,120
  • 1
  • 18
  • 13
  • 4
    There is a [nice description of sudoers](https://help.ubuntu.com/community/Sudoers) format on Ubuntu help. Man page for sudoers is ugly :( – Mifeet Aug 19 '15 at 12:45
  • so how would this scale for all users to run as user2, instead of just user1? – jiggunjer May 23 '20 at 13:47
1
`su -c "Your command right here" -s /bin/sh username`

The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example; execl: couldn't exec /bin/sh execl: Permission denied

I had to install setroubleshoot and setools and run the following to allow it:

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p
Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
C Jaskoski
  • 11
  • 2