anyone run a job as a different user sending to background?

[BobMCT]

Strange one...
I have a shell script (bash) that I am sending to "at" to run at a future time. That script needs to be run as another user. I've been experimenting with sudo but I need to pass it a password. My trial format is:

sudo -u other_user -A /tmp/pwdfile scriptname.sh parameter(s)

My research shows that the -u option specifies the username to run the task as and the -A option the file to where sysin can be found.

To pass this to "at" my command actually looks like this:

echo "sudo -u other_user -A /tmp/pwdfile script.sh params \" | at hh:mm"

Of course, without the sudo stuff the above command works but the username is incorrect and it causes permission problems.

So I am wondering if anyone has done this before and would be willing to share their technique?

Thanks all.

 

[Noway2]

I am not an expert in this area, but my initial reaction to the description is that it sounds like an application for setuid. The setuid bit is one of the semi hidden permissions bits that will cause a program to operate under the privileges of the owner rather than the user calling the function. Using this you could set the owner to root or some other user as needed for the permissions and it would operate as that user. On the surface, setuid is simple to use. There are a couple of gotchas, though I can't remember the details it resulted in a DOH moment, in that you need to set a couple of other simple items. If you try it and don't have immediate results, do a little digging before you give up.

 

[BobMCT]

Thanks Noway2,

Sounded like a very simple solution. But all though Ubuntu let me apply the setuid on the script file and run it, it still ran as the originating user.

Oh well, on to another solution.

Thanks :-(

 

[Noway2]

That is exactly what I meant. There is something else that you need to do. I had the exact same problem until I found the right how to file that showed what the other thing you needed to set was. I think this was the solution:

http://www.tuxation.com/setuid-on-shell-scripts.html

It is saying that you can't call the shell script directly with setuid. The reason being that setuid has been disabled for shell scripts and Ubuntu is one of the ones that does this.

Instead you have to write a simple C wrapper (executable) program that calls the shell script on your behalf.

 

[BobMCT]

Noway2,

Followed your lead and I was able to create the wrapper which functions as advertised. Problem is - it needs a variable number of options and values to be accepted and passed to the called script.

I tried several approaches from examples I was able to google but could not get any to compile. 'Guess I'm not a c programmer after all.

While I'm continuing to search, if you know of a wrapper that can do this I'd certainly appreciate a pointer to it.

Thanks - enjoy your weekend.

 

[Noway2]

Are your options and values passed on the command line as arguments or do you use command line switches, e.g. command -flag1 -flag2?

If you could post an example of how you call your script, with an example of an option we may be able to help get you started on the right track. There are also the variable arguments functions of C that may be of benefit.

As an alternative to setuid, there may be a way to modify the sudoers privileges (via visudo) and give the user the appropriate permissions.

 

[tarn]

Had you not thought about a simply getting your "at" (or cron) to run a simple ssh login with in-line call to the script?

1) set-up ssh-authorised key for your user so you can ssh with key rather than password

2) ensure the script under the user is executable (as that user, so test it first)

3) then just get you "at" to ssh <someuser>@locslhost "/path/to/the/script/script.?sh"

That will login to localhost as the user <someuser>(assuming your user is on the same box) and run the script as that user and then exit back to the user that called the "at".

Laurie.

 

[chgwhat]

Two other options,
1. Update sudoers file to NOPASSWD: for that script. Then run at job as normal.
2. use a su - username "-c script.sh params"


Tony ... aka chgwhat

When in doubt,,, Power out...

 

[BobMCT]

OK - getting there. Let's fine tune this a little more.

From a php program running under apache (apache runs as

http://www-data

user) I need to run a specific command as the owner of that specific command for permissions reasons. And, because this cmd runs as a result of either "at" or "crontab" it cannot be asked a password.

So, in my sudoers file I need something similar to this?

http://www-data

local=NOPASSWD (other-user) /path/to/script.sh

Gleaned from the man sudoers and other google serarches.

Does this look like the format required for the sudoer line?

Comments? Thanks

 

[Annihilannic]

I think this is what you want:

[URL unfurl="true"]www-data[/URL] local = (other-user) NOPASSWD: /path/to/script.sh

Annihilannic
[small]tgmlify - code syntax highlighting for your tek-tips posts[/small]