Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
All servers mentioned below run OpenSuSE, either 10 or 11.
I am currently working on a few scripts that are meant to be used as part of a continuous integration setup. I am trying to keep these scripts reasonably secure, and so I have made sure that all the servers run these scripts only as a specific user (user1) that has permissions to basically nothing else. The problem I am currently running into is that I need to start and stop tomcat as user1 but this user doesn't have permissions to the tomcat directory (only tomcat has execute permissions). I have a temporary workaround in place while I work on the scripts (I have an SSH key in place that allows me to SSH from user1 to tomcat without a password and execute my commands that way) but it is not very secure. I have tried adding the following line to /etc/sudoers:
but it doesn't work as I expected it to. I tried a few different syntaxes for that line, but the man file was a little confusing and I'm not sure if the syntax was right. If anyone knows the proper syntax for this, or knows another way to su between users without a password prompt, I'd appreciate it.
p.s.- I need a way to actually execute commands as a different user in general- I have other uses for this in these scripts aside from simply starting and stopping Tomcat.
# Define Cmnd_Aliases makes it easier to manage (groups of) services (later on):
Cmnd_Alias TOMCATSVC = /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh
# Allow "user1" to run on host "HOSTNAME" any command defined in the TOMCATSVC Cmnd_Alias as user "operator" w/o password:
user1 HOSTNAME = (tomcat) NOPASSWD: TOMCATSVC
Quote:
Originally Posted by Tyler_H72
or knows another way to su between users without a password prompt
You don't want to 'su' freely between users. Sudo already allows one user to execute commands as other users and w/o password.
# Define Cmnd_Aliases makes it easier to manage (groups of) services (later on):
Cmnd_Alias TOMCATSVC = /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh
# Allow "user1" to run on host "HOSTNAME" any command defined in the TOMCATSVC Cmnd_Alias as user "operator" w/o password:
user1 HOSTNAME = (tomcat) NOPASSWD: TOMCATSVC
I have put this code into my /etc/sudoers file and changed the username and hostname values to appropriate values, but I am still prompted for a password every time I try to run the command sudo tomcat /opt/tomcat/bin/shutdown.sh Is there something I need to run to get these changes loaded? I've tried logging out of the user meant to run the commands and logging back in, but that is apparantly not enough to load the changes.
Quote:
Originally Posted by unSpawn
You don't want to 'su' freely between users. Sudo already allows one user to execute commands as other users and w/o password.
Sudo allows one user to execute commands as other users AFTER they have entered the root password- my goal is to not be prompted for a password at all, as there won't be anyone there to type it in, and I'm not putting it in my script.
Actually, sudo allows one user to execute commands as another user; period.
Whether it asks for a passwd or not depends on the NOPASSWD option being set or not. Note also that it asks for the passwd of the src user, NOT root's passwd.
(If using the 'su -' cmd, it asks for the passwd of the target user, which may or may not be root...)
And to amplify a bit, sudo NEVER requires the root password.
When and if it requests a password, it is asking for the password of the user who called sudo. NOT root, and NOT the target user.
hint: If you have multiple lines in the sudoers file that may authorize the same command, one with nopass and one without, the order is important.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.