How to start xclock from another user id?

ssh1sgp · 06-11-2012, 10:59 PM

Hi All,

I have a really urgent requirement to solve this issue. I am implementing a security for a machine.
Its like this,

I have one machine where i have created two user id's. Now for secureity reasons i have disabled root id and added one id 'ssh1sgp' to wheel group.
I have added the the other user id 'testuser1' to /etc/gdm/custom.conf, so that one the machine boots up it gets login with testuser1 directly instead of asking uid/pwd prompt.

Now i want to run one of the process for example xclock after startup, but i want it to be run by 'ssh1sgp' and it shouldnt prompt for password.

What I have done from my end is i have added a line in testuser1's startup file i.e. .bash_profile, su - ssh1sgp -c xclock. I expeced after the machine boots up it will read from the startup file and run the xclock as ssh1sgp user. But it didnt happened.

Now i am not sure how to do this in a different way. Do I need create a script with the same line in it and add it in rc1.d or something like that?

Please help as your comments are highly valuable.

Thanks

sag47 · 06-12-2012, 02:31 AM

Only root has permission to start a subshell under another userid other than its own iirc. Usually cron will mail the local user the results of a cron job and if it failed, why.

Check /var/spool/mail/testuser1 for cron error messages to confirm my suspicions.

You might be able to accomplish your desire using sudoers file and allowing testuser1 to subshell the xclock command. You'd have to configure it to execute with NOPASSWD in order for this to work seamlessly with cron. Another option would be to use ssh to ssh1sgp@localhost and have it execute the xclock command that way. For that to work with cron you'd need to set up ssh keys. This is all primarily speculation and I couldn't say for sure which is the right solution for you as they're all hacks.

*EDIT*
I'm not entirely sure of what you're trying to accomplish so perhaps a better question for me to ask is what is your end goal? You can receive unhelpful solutions all day if you're attempting to solve the wrong problem to accomplish your goals. Your "security" implementation doesn't appear to implement any security and if anything sounds like it opens up vulnerability. There should be no reason a user should need to subshell a process for another user except root (either done manually or as a daemon).

Please elaborate on what security problem you think you're solving and tell us why this is necessary. You may be trying to solve a problem which doesn't exist (and if your superiors say otherwise then we can help you explain why it may or may not exist). I think that would be for the best.

So to reiterate, what is your end goal in all of this?

ssh1sgp · 06-13-2012, 01:58 AM

Thaks for the reply sag47.

Alright I will make it more simple. Let us just forget about security and all that blah blah...

I have created two users ssh1sgp and testuser1. I have added ssh1sgp to wheel group. Now I have restarted the system and logged in with testuser1.

After logging in with testuser1, I want to run the xclock or should I say once I lgged in as testuser I want to see xclock on desktop appearing, and that should be owned by ssh1sgp. (It doesnt matter if testuser can run another xclock by his id or not).
The concern with ssh1sgp user i could run xclock on testusers desktop. Also i dont want any password prompt for ssh1sgp (as he is in sudoers).

The end result is I just want to make sure if we can run xclock or x11 apps with one user while being in other users desktop. also without prompting for password and al.

I hope this is much better and clear explanation of what I am looking for?

Thanks.

sag47 · 06-13-2012, 08:02 AM

Perhaps something like this in /etc/sudoers might fit the bill.

Code:

##
# User alias specification
##
#can add users separated by a comma; user1, user2, etc.
User_Alias	ALLOWEDUSERS = testuser1

##
# Runas alias specification
##
Runas_Alias	XCLOCK = ssh1sgp

#users in the ALLOWEDUSERS list can run the /usr/bin/xclock command with sudo; run as ssh1sgp user.
ALLOWEDUSERS		ALL = (XCLOCK) NOPASSWD: /usr/bin/xclock

I gathered understanding of sudoers by reading the following two articles after googling "sudoers nopasswd example".
http://www.gratisoft.us/sudo/sudoers.man.html
http://www.gratisoft.us/sudo/sample.sudoers

You can run as like so,

Code:

sudo -u ssh1sgp /usr/bin/xclock

And it will execute.

Alternatively you can replace ALLOWEDUSERS alias with %groupname so that any user in a particular group can run that command. Adding -b option will run the command in the background, see the sudo man page for more information.

su - user -c "XYZ" will always prompt you for a password even if you're attempting to run the with the current user. The only exception to that rule is root. sudoers can also handle this if you really want but be very careful to specify the full command and options which you want to execute as root so that way your security is as tight as it *could* be.

Code:

#users in the ALLOWEDUSERS list can run subshell a command to user ssh1sgp as root without requiring a password.
ALLOWEDUSERS		ALL = (root) NOPASSWD: /bin/su - ssh1sgp -c "/usr/bin/xclock"

I believe that's what you were looking for. All of that information can be found in the sudo manual I linked to you above.

It's best practice to provide the full path to binaries (i.e. /bin/ls rather than ls) when setting up your sudoers file to minimize the risk of a user executing sudo ls without a password outside of its intended purpose (namely a cron job or the like).

SAM