[opensuse] Run command as another user
Hi, I need to be able to run a command as another user. I have worked out that I can run the following from one user to execute a command as the other (bob). su - bob -c command prompt for password enter password command runs as bob but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command thanks Paul -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul -- ...and then Paul Groves said... % % Hi, Hiya! % % I need to be able to run a command as another user. [snip] Only root can su to an account without a password, and there is no -p flag as you hypothesized, so su is probably out. Youu don't want that anyway, though; sudo is worlds better. The logical question is "why can't you provide sudo access for Joe to run as Bob?". Do you have root on this system or know who does? What's standing in your way? Finally, if bob has a normal shell rather than a network-login-blocked shell of some sort, another alternative might be to make an ssh connection with a key rather than a password and kick off the command that way. If you don't have to worry about display variables or a few other bits, then that can be a very simple answer. HTH & HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
28.09.2017 17:34, Paul Groves пишет:
Hi,
I need to be able to run a command as another user.
I have worked out that I can run the following from one user to execute a command as the other (bob).
su - bob -c command prompt for password enter password
command runs as bob
but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword
The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command
Well ... the only thing you can do is without having superuser rights for this system is to compile SUID binary owned by user bob that executes needed command. I presume making command SUID directly is not an option. And if you do have superuser rights, you can simply edit sudoers and let user run this script as bob (even without password). Keep in mind that if your "command" is a script, shell does not like being run suid and so will likely reset EUID back to calling user ... unless you use sudo which makes sure it does not happen. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
An alternative...
Keep in mind that if your "command" is a script, shell does not like being run suid and so will likely reset EUID back to calling user ... unless you use sudo which makes sure it does not happen.
You can write a dirt simple c program to call the hard coded script path. That wrapper can be setuid to root. It's not elegant (and I'd use sudo myself) but it's worth noting. -- __________________________________________________________________________ Josef Fortier Systems Administrator fortier@augsburg.edu Phone: 612-330-1479 __________________________________________________________________________ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Josef, et al -- ...and then Josef Fortier said... % ... % You can write a dirt simple c program to call the hard coded script % path. That wrapper can be setuid to root. % It's not elegant (and I'd use sudo myself) but it's worth noting. True, but that presumes that the guy has root access, at which point we're back to either being root to run su (ew) without a password or, as you suggest, using sudo. I get the impression that the OP is a normal user who isn't going to get help from root. HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/09/17 10:28, David T-G wrote:
Josef, et al --
...and then Josef Fortier said... % ... % You can write a dirt simple c program to call the hard coded script % path. That wrapper can be setuid to root. % It's not elegant (and I'd use sudo myself) but it's worth noting.
True, but that presumes that the guy has root access, at which point we're back to either being root to run su (ew) without a password or, as you suggest, using sudo. I get the impression that the OP is a normal user who isn't going to get help from root. correct.
I like the idea of the c program though. I could pass in the username, password and command using getopt So then the question becomes how do I run a command using another user's credentials in c / c++? can system() do this?
HAND
:-D
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul -- ...and then Paul Groves said... % ... % So then the question becomes how do I run a command using another % user's credentials in c / c++? can system() do this? Your first step is to get root access, which puts you right back at allowing sudo execution. I really don't think you want to try reinventing the wheel... HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Sep 29, 2017 at 2:44 PM, David T-G <d13@justpickone.org> wrote:
Paul --
...and then Paul Groves said... % ... % So then the question becomes how do I run a command using another % user's credentials in c / c++? can system() do this?
Your first step is to get root access,
wrong. Read my earlier reply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei, et al -- ...and then Andrei Borzenkov said... % % On Fri, Sep 29, 2017 at 2:44 PM, David T-G <d13@justpickone.org> wrote: % > % > Your first step is to get root access, % % wrong. Read my earlier reply. Do you mean the one where you said to compile an SUID binary to call bob's script? The binary that, while easy to make, requires root to install? That reply? Or did I miss a reply from you that doesn't involve root at all? [I don't think that you were the guy who proposed using expect, which although not invalid is a lot less optimal than ssh if the latter is possible., although I'm not going to spend too much digging back through the thread to confirm.] HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/09/17 14:18, David T-G wrote:
Andrei, et al --
...and then Andrei Borzenkov said... % % On Fri, Sep 29, 2017 at 2:44 PM, David T-G <d13@justpickone.org> wrote: % > % > Your first step is to get root access, % % wrong. Read my earlier reply.
Do you mean the one where you said to compile an SUID binary to call bob's script? The binary that, while easy to make, requires root to install? That reply? Or did I miss a reply from you that doesn't involve root at all?
[I don't think that you were the guy who proposed using expect, which although not invalid is a lot less optimal than ssh if the latter is possible., although I'm not going to spend too much digging back through the thread to confirm.]
HAND
:-D I believe everyone is getting confused. I do not want root access, nor can I obtain root access. There is a script which is run from a standard user account. I cannot change this in any way, however there is one command in the script which requires sudo / root.
There is one user on this system (which we have named bob for this example). Bob is in the sudoers group so can run sudo commands. So I was thinking that I could make a small C / C++ program. In the script I could call llike this: cprogram --user bob --pasword bobspassword So this c program now has the credentials of Bob. So essentially the C program can authenticate as Bob using his username and password. Once the C program is authenticated as bob, any command which is run will appear to be running from bob's account. Therefore with Bob's privileges therefore allowing sudo commands to be run (as Bob). I have written the c++ program up to the last two steps. The bit I am stuck on is executing a command using credentials. I would normally use; system("command"); to run a command as whichever user executed my program. But in this case I am looking for something like the following: char username = "bob"; char password = "bobspassword"; system("command", username, password); If that makes sense? But I do not think system can do such a thing. Can it? There must be a way to do this somehow... Paul -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 29.09.2017 um 16:56 schrieb Paul Groves:
On 29/09/17 14:18, David T-G wrote:
Andrei, et al --
...and then Andrei Borzenkov said... % % On Fri, Sep 29, 2017 at 2:44 PM, David T-G <d13@justpickone.org> wrote: % > % > Your first step is to get root access, % % wrong. Read my earlier reply.
Do you mean the one where you said to compile an SUID binary to call bob's script? The binary that, while easy to make, requires root to install? That reply? Or did I miss a reply from you that doesn't involve root at all?
[I don't think that you were the guy who proposed using expect, which although not invalid is a lot less optimal than ssh if the latter is possible., although I'm not going to spend too much digging back through the thread to confirm.]
HAND
:-D I believe everyone is getting confused. I do not want root access, nor can I obtain root access. There is a script which is run from a standard user account. I cannot change this in any way, however there is one command in the script which requires sudo / root.
There is one user on this system (which we have named bob for this example). Bob is in the sudoers group so can run sudo commands.
So I was thinking that I could make a small C / C++ program. In the script I could call llike this: cprogram --user bob --pasword bobspassword
So this c program now has the credentials of Bob. So essentially the C program can authenticate as Bob using his username and password.
Once the C program is authenticated as bob, any command which is run will appear to be running from bob's account. Therefore with Bob's privileges therefore allowing sudo commands to be run (as Bob).
I have written the c++ program up to the last two steps. The bit I am stuck on is executing a command using credentials.
I would normally use; system("command"); to run a command as whichever user executed my program.
But in this case I am looking for something like the following:
char username = "bob"; char password = "bobspassword"; system("command", username, password);
If that makes sense? But I do not think system can do such a thing. Can it?
There must be a way to do this somehow...
Paul
Well, no. We're not confused. We're discussing ways how you can get your program been run under user "bob". You can 1) use "expect" in a bash-script and then execute your program from there or 2) create a sudo-exception, log in as root and then run sudo --user bob as you don't need credentials for another user as root. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Simon & Paul, et al -- ...and then Simon Heimbach said... % % Am 29.09.2017 um 16:56 schrieb Paul Groves: ... % > I believe everyone is getting confused. I do not want root access, nor % > can I obtain root access. There is a script which is run from a standard ... % > So I was thinking that I could make a small C / C++ program. In the % > script I could call llike this: % > cprogram --user bob --pasword bobspassword Paul, to become bob in this way will basically require root, because you're still changing user context. This probably isn't where you can go. % > ... % > There must be a way to do this somehow... % % Well, no. We're not confused. % We're discussing ways how you can get your program been run under user % "bob". You can 1) use "expect" in a bash-script and then execute your % program from there or 2) create a sudo-exception, log in as root and % then run sudo --user bob as you don't need credentials for another user % as root. ... or 3) just ssh in as bob and let the OS take care of authentication and user switching and just run the program. You mentioned, though, that "bob" has sudo access and that you want to have the bob account run the elevated-access program. Note that sudo often requires that one authenticate, which very well might put you back in the expect(1) world. The more detail you can give us, the better we can provide ideas :-) HTH & HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-09-29 22:36, David T-G wrote:
The more detail you can give us, the better we can provide ideas :-)
He said he wants to do this in C: system("command", username, password); Plain simple :-) I don't know of a way to call a command giving user and password in its command line. Except expect. Or ssh with key pairs, not password. He is not root, he can not configure sudo. He has sudo access and the target user password. But sudo stops the script and asks for the password. He wants the script to not ask, just provide the password automatically. Any method such as expect would store the password in a file in the clear, so it is a security risk. Correct method I think would be ssh and key pairs. The login session can store the password to the keys. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 30/09/17 00:33, Carlos E. R. wrote:
On 2017-09-29 22:36, David T-G wrote:
The more detail you can give us, the better we can provide ideas :-) He said he wants to do this in C:
system("command", username, password);
Plain simple :-)
I don't know of a way to call a command giving user and password in its command line. Except expect. Or ssh with key pairs, not password. SSH is rather unnecessary as it only needs access to the local machine.
Is there a way of logging into a local shell as a user in C to run the commands?
He is not root, he can not configure sudo. He has sudo access and the target user password. But sudo stops the script and asks for the password. He wants the script to not ask, just provide the password automatically. Exactly! Any method such as expect would store the password in a file in the clear, so it is a security risk. Correct method I think would be ssh and key pairs. The login session can store the password to the keys.
Unless I could save the password as something like an md5 string? Then decrypt that in the C program. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Oct 2, 2017 at 4:02 PM, Paul Groves <paul.groves.787@gmail.com> wrote:
On 30/09/17 00:33, Carlos E. R. wrote:
On 2017-09-29 22:36, David T-G wrote:
The more detail you can give us, the better we can provide ideas :-)
He said he wants to do this in C:
system("command", username, password);
Plain simple :-)
I don't know of a way to call a command giving user and password in its command line. Except expect. Or ssh with key pairs, not password.
SSH is rather unnecessary as it only needs access to the local machine.
This is still the simplest way to log in as another user (and without password); and it can be configured to execute only specific command for a given public key.
Is there a way of logging into a local shell as a user in C to run the commands?
He is not root, he can not configure sudo. He has sudo access and the target user password. But sudo stops the script and asks for the password. He wants the script to not ask, just provide the password automatically.
Exactly!
Any method such as expect would store the password in a file in the clear, so it is a security risk. Correct method I think would be ssh and key pairs. The login session can store the password to the keys.
Unless I could save the password as something like an md5 string? Then decrypt that in the C program.
You cannot "decrypt" md5. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-02 15:02, Paul Groves wrote:
On 30/09/17 00:33, Carlos E. R. wrote:
On 2017-09-29 22:36, David T-G wrote:
The more detail you can give us, the better we can provide ideas :-) He said he wants to do this in C:
system("command", username, password);
Plain simple :-)
I don't know of a way to call a command giving user and password in its command line. Except expect. Or ssh with key pairs, not password. SSH is rather unnecessary as it only needs access to the local machine.
still, ssh can run against the same local machine, it can work passwordless, and it does not require "root" to configure it. So it is your best chance.
Is there a way of logging into a local shell as a user in C to run the commands?
As far as I know (which is limited), no. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 02.10.2017 15:02, Paul Groves wrote:
On 30/09/17 00:33, Carlos E. R. wrote:
On 2017-09-29 22:36, David T-G wrote:
The more detail you can give us, the better we can provide ideas :-) He said he wants to do this in C:
system("command", username, password);
Plain simple :-)
I don't know of a way to call a command giving user and password in its command line. Except expect. Or ssh with key pairs, not password. SSH is rather unnecessary as it only needs access to the local machine.
Is there a way of logging into a local shell as a user in C to run the commands?
He is not root, he can not configure sudo. He has sudo access and the target user password. But sudo stops the script and asks for the password. He wants the script to not ask, just provide the password automatically. Exactly! Any method such as expect would store the password in a file in the clear, so it is a security risk. Correct method I think would be ssh and key pairs. The login session can store the password to the keys.
Unless I could save the password as something like an md5 string? Then decrypt that in the C program.
I did not read all, but this solutions seems complicated and/or unsafe, because you have to store bobs password somewhere. The "s" bit in chmod does not mean "suid root", it only means "suid". So bob can do this: cp /usr/bin/id /home/bob/id chmod u+s /home/bob/id If alice runs /home/bob/id, then the effective user id (euid) will be bob! So, how do you manage access to this suid binary? One way can be group permissions: alice and bob probably share a unix group, and no one else is member of this group. Or you use ACLs. Bob permits execute access to alice: chmod 4744 /home/bob/id setfacl -m user:alice:rx /home/bob/id Check: getfacl /home/bob/id # file: /home/bob/id # owner: bob # group: users # flags: s-- user::rwx user:alice:r-x group::r-- mask::r-x other::r-- But really the best way is to get root to edit the sudoers.
On 2017-10-02 17:29, Florian Gleixner wrote:
On 02.10.2017 15:02, Paul Groves wrote:
I did not read all, but this solutions seems complicated and/or unsafe, because you have to store bobs password somewhere.
Right.
The "s" bit in chmod does not mean "suid root", it only means "suid". So bob can do this:
As user? Doesn't he need be root to do the changes?
cp /usr/bin/id /home/bob/id chmod u+s /home/bob/id
If alice runs /home/bob/id, then the effective user id (euid) will be bob!
So, how do you manage access to this suid binary? One way can be group permissions: alice and bob probably share a unix group, and no one else is member of this group. Or you use ACLs. Bob permits execute access to alice:
chmod 4744 /home/bob/id setfacl -m user:alice:rx /home/bob/id
Check:
getfacl /home/bob/id # file: /home/bob/id # owner: bob # group: users # flags: s-- user::rwx user:alice:r-x group::r-- mask::r-x other::r--
But really the best way is to get root to edit the sudoers.
But he is not root. He can not edit sudoers. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 02.10.2017 22:48, Carlos E. R. wrote:
On 2017-10-02 17:29, Florian Gleixner wrote:
The "s" bit in chmod does not mean "suid root", it only means "suid". So bob can do this:
As user? Doesn't he need be root to do the changes?
No. Just try. The "s" bit is often misunderstood as "suid root", but it only changes to the owner of the file, not (only) root. So why should a user not be able to set it for his own files? Try!
On 2017-10-03 02:55, Florian Gleixner wrote:
On 02.10.2017 22:48, Carlos E. R. wrote:
On 2017-10-02 17:29, Florian Gleixner wrote:
The "s" bit in chmod does not mean "suid root", it only means "suid". So bob can do this:
As user? Doesn't he need be root to do the changes?
No. Just try. The "s" bit is often misunderstood as "suid root", but it only changes to the owner of the file, not (only) root. So why should a user not be able to set it for his own files? Try!
I know it is not suid root. cer@Telcontar:~> l /usr/bin/id -rwxr-xr-x 1 root root 39872 Oct 7 2016 /usr/bin/id* cer@Telcontar:~> cp /usr/bin/id /home/cer/id cer@Telcontar:~> chmod u+s /home/cer/id cer@Telcontar:~> l id -rwsr-xr-x 1 cer users 39872 Oct 3 13:33 id* cer@Telcontar:~> ./id uid=1000(cer) gid=100(users) groups=100(users),0(root),10(wheel),... cer@Telcontar:~> cer@Telcontar:~> su - pepe Password: pepe@Telcontar:~> /home/cer/id uid=1009(pepe) gid=100(users) euid=1000(cer) groups=100(users),17(audio),33(video) pepe@Telcontar:~> cer@Telcontar:~> chmod 4744 /home/cer/id cer@Telcontar:~> l id -rwsr--r-- 1 cer users 39872 Oct 3 13:33 id* cer@Telcontar:~> setfacl -m user:pepe:rx /home/cer/id cer@Telcontar:~> getfacl /home/cer/id getfacl: Removing leading '/' from absolute path names # file: home/cer/id # owner: cer # group: users # flags: s-- user::rwx user:pepe:r-x group::r-- mask::r-x other::r-- cer@Telcontar:~> Notice that /I/ can not change the group. You said: «So, how do you manage access to this suid binary? One way can be group permissions: alice and bob probably share a unix group, and no one else is member of this group.» AFAIK only root can do that (create that group and who belongs to it), it is not the default in openSUSE. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 03.10.2017 13:48, Carlos E. R. wrote:
Notice that /I/ can not change the group. You said:
«So, how do you manage access to this suid binary? One way can be group permissions: alice and bob probably share a unix group, and no one else is member of this group.»
AFAIK only root can do that (create that group and who belongs to it), it is not the default in openSUSE.
If they have by chance the same group, you can use it. If not, you can set file ACLs.
02.10.2017 23:48, Carlos E. R. пишет:
On 2017-10-02 17:29, Florian Gleixner wrote:
On 02.10.2017 15:02, Paul Groves wrote:
I did not read all, but this solutions seems complicated and/or unsafe, because you have to store bobs password somewhere.
Right.
The "s" bit in chmod does not mean "suid root", it only means "suid". So bob can do this:
As user? Doesn't he need be root to do the changes?
No. I told this from the very beginning.
Am 29.09.2017 um 16:56 schrieb Paul Groves:
But in this case I am looking for something like the following:
char username = "bob"; char password = "bobspassword"; system("command", username, password);
If that makes sense? But I do not think system can do such a thing. Can it?
The Unix guys have been working hard for 40 years to make Unix safe. You'll have to follow the rules. The command in question is called "sudo". sudo isn't magic. It's using an API to switch the current user of a process. The API call is "setuid" https://en.wikipedia.org/wiki/Setuid You must be root to call it, otherwise you'll get an error. "sudo" can call this API because the file /usr/bin/sudo has the "S" bit set (SUID bit) which means: The system will start it as root even if you call it. sudo will then read a file (which only root can change) to check whether you're allowed to run it. If not, it will stop. To set the S bit of a file, you need to be root. That's why, no matter how you look at the problem, you need to be root. The Unix guys had 40 years worth of experience with people trying to game the system and they plugged every hole. The only other option is SSH because you can ask bob to install your public key in his allowed_keys file. When he does that, you can ssh into his account (ssh bob@localhost) using *your* private SSH password. The most simple solution to use SSH in a script is to create a new SSH key pair *without password* (just press return) and give *that* public key to bob. Note: If someone steals the private key for this pair, they can access all of bob's files and run stuff as bob. You're now responsible for your own safety and the one of bob. Good luck. Note 2: Unlike the sudo solution, you can run any command as bob. sudo allows to restrict what you can do. So this is a huge security risk for bob. I wouldn't allow it. Note 3: Never use passwords as command line arguments. Anyone on the same computer can see all command line arguments of all processes. It's very easy to steal passwords this way. Regards, -- Aaron "Optimizer" Digulla a.k.a. Philmann Dark "It's not the universe that's limited, it's our imagination. Follow me and I'll show you something beyond the limits." http://blog.pdark.de/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-06 13:43, Aaron Digulla wrote:
Am 29.09.2017 um 16:56 schrieb Paul Groves:
But in this case I am looking for something like the following:
char username = "bob"; char password = "bobspassword"; system("command", username, password);
If that makes sense? But I do not think system can do such a thing. Can it?
The Unix guys have been working hard for 40 years to make Unix safe. You'll have to follow the rules.
The command in question is called "sudo". sudo isn't magic. It's using an API to switch the current user of a process.
The API call is "setuid" https://en.wikipedia.org/wiki/Setuid
You must be root to call it, otherwise you'll get an error.
Which he said he is not.
The only other option is SSH because you can ask bob to install your
If you read other answers, you will see there is another method. I thought the same as you. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On Fri, Sep 29, 2017 at 4:18 PM, David T-G <d13@justpickone.org> wrote:
Andrei, et al --
...and then Andrei Borzenkov said... % % On Fri, Sep 29, 2017 at 2:44 PM, David T-G <d13@justpickone.org> wrote: % > % > Your first step is to get root access, % % wrong. Read my earlier reply.
Do you mean the one where you said to compile an SUID binary to call bob's script? The binary that, while easy to make, requires root to install?
No. It requires bob to install. I do not expect someone's run something on bob's behalf without bob being aware of it. If the goal is run command as bob without letting bob know, then one must be root indeed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Paul, I see two ways of getting around the password 1) Use spawn/expect/send Have a look here: https://stackoverflow.com/questions/16928004/how-to-enter-ssh-password-using... 2) Create a sudo-exception: Have a look here: https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-edit... Anyway, be careful about both! Think twice about your security! Simon Am 28.09.2017 um 16:34 schrieb Paul Groves:
Hi,
I need to be able to run a command as another user.
I have worked out that I can run the following from one user to execute a command as the other (bob).
su - bob -c command prompt for password enter password
command runs as bob
but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword
The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command
thanks Paul
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
28.09.2017 20:16, Simon Heimbach пишет:
Hi Paul,
I see two ways of getting around the password
1) Use spawn/expect/send Have a look here: https://stackoverflow.com/questions/16928004/how-to-enter-ssh-password-using...
Of course, thanks for the reminder, expect is swiss army knife if one needs to provide "terminal" input to a program. BTW, zsh has module that implements pty, created for similar purpose (it allows starting program connected to a "terminal" and supply input to it).
2) Create a sudo-exception: Have a look here: https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-edit...
Anyway, be careful about both! Think twice about your security!
Simon
Am 28.09.2017 um 16:34 schrieb Paul Groves:
Hi,
I need to be able to run a command as another user.
I have worked out that I can run the following from one user to execute a command as the other (bob).
su - bob -c command prompt for password enter password
command runs as bob
but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword
The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command
thanks Paul
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/28/2017 10:34 AM, Paul Groves wrote:
Hi,
I need to be able to run a command as another user.
I have worked out that I can run the following from one user to execute a command as the other (bob).
su - bob -c command prompt for password enter password
command runs as bob
but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword
The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command
You can use sudo. I have used it for a couple of things. I created a directory where all the scripts get the root rights and then call the script. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James -- ...and then James Knott said... % % You can use sudo. I have used it for a couple of things. I created a % directory where all the scripts get the root rights and then call the % script. That sounds like an interesting approach... Care to share more? HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/28/2017 03:26 PM, David T-G wrote:
James --
...and then James Knott said... % % You can use sudo. I have used it for a couple of things. I created a % directory where all the scripts get the root rights and then call the % script.
That sounds like an interesting approach... Care to share more?
It took me a lot of effort to figure out and it was a few years ago, so I don't recall the details. You'll have to do some reading on sudo. However, my /etc/sudoers file contains: ## User privilege specification ## root ALL = (ALL) ALL jknott ALL = NOPASSWD: /local/usr/bin/sudo/* The /local/usr/bin/sudo directory is where I place the scripts that require root privilege to run. I'd call the script with sudo /local/usr/bin/sudo/<script_name>. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James -- ...and then James Knott said... % ... % The /local/usr/bin/sudo directory is where I place the scripts that % require root privilege to run. I'd call the script with sudo % /local/usr/bin/sudo/<script_name>. Ooohhhhhhh! Now I get it. I somehow misread you to say that you had a directory of wrapper scripts which had some smarts to carefully call other scripts to do work; what I see here is that you just put all of the stuff that needs elevation into one directory to keep things simple. I also like that :-) Thanks again & HAND :-D -- David T-G See http://justpickone.org/davidtg/email/ See http://justpickone.org/davidtg/tofu.txt -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I am pretty sure I have done this by having an entry in the sudoers file saying allow this command by this user without a password. I haven't read all the replies so excuse repetition, and if you can't change the sudoers file then this is no use. Paul Groves wrote:
Hi,
I need to be able to run a command as another user.
I have worked out that I can run the following from one user to execute a command as the other (bob).
su - bob -c command prompt for password enter password
command runs as bob
but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword
The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command
thanks Paul
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Why is this discussion still going on, when I posted a method that has worked for me for years? Just create a directory where sudo can be used to run scripts, without requiring a password. Look back to when I posted it on Sept 28. On 10/06/2017 06:54 AM, Richmond wrote:
I am pretty sure I have done this by having an entry in the sudoers file saying allow this command by this user without a password.
I haven't read all the replies so excuse repetition, and if you can't change the sudoers file then this is no use.
Paul Groves wrote:
Hi,
I need to be able to run a command as another user.
I have worked out that I can run the following from one user to execute a command as the other (bob).
su - bob -c command prompt for password enter password
command runs as bob
but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword
The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command
thanks Paul
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* James Knott <james.knott@rogers.com> [10-07-17 07:18]:
Why is this discussion still going on, when I posted a method that has worked for me for years? Just create a directory where sudo can be used to run scripts, without requiring a password.
Look back to when I posted it on Sept 28.
On 10/06/2017 06:54 AM, Richmond wrote:
I am pretty sure I have done this by having an entry in the sudoers file saying allow this command by this user without a password.
I haven't read all the replies so excuse repetition, and if you can't change the sudoers file then this is no use.
Paul Groves wrote:
Hi,
I need to be able to run a command as another user.
I have worked out that I can run the following from one user to execute a command as the other (bob).
su - bob -c command prompt for password enter password
command runs as bob
but, how can I run this on one line for use in a script? (so that I am not prompted for a password). something like; su - bob -c command -p bobspassword
The user executing the script is not a sudoer so I cannot use; echo bobspassword | sudo -S -u bob command
thanks Paul
Why don't you understand the OP does not have root privileges and cannot alter "sudo" to provide necessary directory access. or trim and top-post -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-07 13:16, James Knott wrote:
Why is this discussion still going on, when I posted a method that has worked for me for years? Just create a directory where sudo can be used to run scripts, without requiring a password.
Which needs being root to edit sudo, and he *is not root*. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (11)
-
Aaron Digulla -
Andrei Borzenkov -
Carlos E. R. -
David T-G -
Florian Gleixner -
James Knott -
Josef Fortier -
Patrick Shanahan -
Paul Groves -
Richmond -
Simon Heimbach