All servers mentioned below run OpenSuSE, either 10 or 11.

I am currently working on a few scripts that are meant to be used as part of a continuous integration setup. I am trying to keep these scripts reasonably secure, and so I have made sure that all the servers run these scripts only as a specific user (user1) that has permissions to basically nothing else. The problem I am currently running into is that I need to start and stop tomcat as user1 but this user doesn't have permissions to the tomcat directory (only tomcat has execute permissions). I have a temporary workaround in place while I work on the scripts (I have an SSH key in place that allows me to SSH from user1 to tomcat without a password and execute my commands that way) but it is not very secure. I have tried adding the following line to /etc/sudoers:
but it doesn't work as I expected it to. I tried a few different syntaxes for that line, but the man file was a little confusing and I'm not sure if the syntax was right. If anyone knows the proper syntax for this, or knows another way to su between users without a password prompt, I'd appreciate it.

p.s.- I need a way to actually execute commands as a different user in general- I have other uses for this in these scripts aside from simply starting and stopping Tomcat.

Should go something like this:

You don't want to 'su' freely between users. Sudo already allows one user to execute commands as other users and w/o password.

sudo is the tool made for what you are trying to do. The man pages MAY be sufficient, but there are more complete documents and tutorials online.

I have put this code into my /etc/sudoers file and changed the username and hostname values to appropriate values, but I am still prompted for a password every time I try to run the command sudo tomcat /opt/tomcat/bin/shutdown.sh Is there something I need to run to get these changes loaded? I've tried logging out of the user meant to run the commands and logging back in, but that is apparantly not enough to load the changes.


Sudo allows one user to execute commands as other users AFTER they have entered the root password- my goal is to not be prompted for a password at all, as there won't be anyone there to type it in, and I'm not putting it in my script.


Thanks for the help so far!

Actually, sudo allows one user to execute commands as another user; period.

Whether it asks for a passwd or not depends on the NOPASSWD option being set or not. Note also that it asks for the passwd of the src user, NOT root's passwd.

(If using the 'su -' cmd, it asks for the passwd of the target user, which may or may not be root...)

And to amplify a bit, sudo NEVER requires the root password.
When and if it requests a password, it is asking for the password of the user who called sudo. NOT root, and NOT the target user.

hint: If you have multiple lines in the sudoers file that may authorize the same command, one with nopass and one without, the order is important.

...and to add to that maybe try an explicit 'sudo -u tomcat /opt/tomcat/bin/shutdown.sh'?