LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-11-2012, 11:59 PM   #1
ssh1sgp
LQ Newbie
 
Registered: Jun 2012
Posts: 2

Rep: Reputation: Disabled
How to start xclock from another user id?


Hi All,

I have a really urgent requirement to solve this issue. I am implementing a security for a machine.
Its like this,

I have one machine where i have created two user id's. Now for secureity reasons i have disabled root id and added one id 'ssh1sgp' to wheel group.
I have added the the other user id 'testuser1' to /etc/gdm/custom.conf, so that one the machine boots up it gets login with testuser1 directly instead of asking uid/pwd prompt.

Now i want to run one of the process for example xclock after startup, but i want it to be run by 'ssh1sgp' and it shouldnt prompt for password.

What I have done from my end is i have added a line in testuser1's startup file i.e. .bash_profile, su - ssh1sgp -c xclock. I expeced after the machine boots up it will read from the startup file and run the xclock as ssh1sgp user. But it didnt happened.

Now i am not sure how to do this in a different way. Do I need create a script with the same line in it and add it in rc1.d or something like that?

Please help as your comments are highly valuable.

Thanks
 
Old 06-12-2012, 03:31 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,831
Blog Entries: 36

Rep: Reputation: 451Reputation: 451Reputation: 451Reputation: 451Reputation: 451
Only root has permission to start a subshell under another userid other than its own iirc. Usually cron will mail the local user the results of a cron job and if it failed, why.

Check /var/spool/mail/testuser1 for cron error messages to confirm my suspicions.

You might be able to accomplish your desire using sudoers file and allowing testuser1 to subshell the xclock command. You'd have to configure it to execute with NOPASSWD in order for this to work seamlessly with cron. Another option would be to use ssh to ssh1sgp@localhost and have it execute the xclock command that way. For that to work with cron you'd need to set up ssh keys. This is all primarily speculation and I couldn't say for sure which is the right solution for you as they're all hacks.

*EDIT*
I'm not entirely sure of what you're trying to accomplish so perhaps a better question for me to ask is what is your end goal? You can receive unhelpful solutions all day if you're attempting to solve the wrong problem to accomplish your goals. Your "security" implementation doesn't appear to implement any security and if anything sounds like it opens up vulnerability. There should be no reason a user should need to subshell a process for another user except root (either done manually or as a daemon).

Please elaborate on what security problem you think you're solving and tell us why this is necessary. You may be trying to solve a problem which doesn't exist (and if your superiors say otherwise then we can help you explain why it may or may not exist). I think that would be for the best.

So to reiterate, what is your end goal in all of this?

Last edited by sag47; 06-12-2012 at 03:40 AM.
 
Old 06-13-2012, 02:58 AM   #3
ssh1sgp
LQ Newbie
 
Registered: Jun 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thaks for the reply sag47.

Alright I will make it more simple. Let us just forget about security and all that blah blah...

I have created two users ssh1sgp and testuser1. I have added ssh1sgp to wheel group. Now I have restarted the system and logged in with testuser1.

After logging in with testuser1, I want to run the xclock or should I say once I lgged in as testuser I want to see xclock on desktop appearing, and that should be owned by ssh1sgp. (It doesnt matter if testuser can run another xclock by his id or not).
The concern with ssh1sgp user i could run xclock on testusers desktop. Also i dont want any password prompt for ssh1sgp (as he is in sudoers).

The end result is I just want to make sure if we can run xclock or x11 apps with one user while being in other users desktop. also without prompting for password and al.

I hope this is much better and clear explanation of what I am looking for?

Thanks.
 
Old 06-13-2012, 09:02 AM   #4
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,831
Blog Entries: 36

Rep: Reputation: 451Reputation: 451Reputation: 451Reputation: 451Reputation: 451
Perhaps something like this in /etc/sudoers might fit the bill.
Code:
##
# User alias specification
##
#can add users separated by a comma; user1, user2, etc.
User_Alias	ALLOWEDUSERS = testuser1

##
# Runas alias specification
##
Runas_Alias	XCLOCK = ssh1sgp

#users in the ALLOWEDUSERS list can run the /usr/bin/xclock command with sudo; run as ssh1sgp user.
ALLOWEDUSERS		ALL = (XCLOCK) NOPASSWD: /usr/bin/xclock
I gathered understanding of sudoers by reading the following two articles after googling "sudoers nopasswd example".
http://www.gratisoft.us/sudo/sudoers.man.html
http://www.gratisoft.us/sudo/sample.sudoers

You can run as like so,
Code:
sudo -u ssh1sgp /usr/bin/xclock
And it will execute.

Alternatively you can replace ALLOWEDUSERS alias with %groupname so that any user in a particular group can run that command. Adding -b option will run the command in the background, see the sudo man page for more information.

su - user -c "XYZ" will always prompt you for a password even if you're attempting to run the with the current user. The only exception to that rule is root. sudoers can also handle this if you really want but be very careful to specify the full command and options which you want to execute as root so that way your security is as tight as it *could* be.

Code:
#users in the ALLOWEDUSERS list can run subshell a command to user ssh1sgp as root without requiring a password.
ALLOWEDUSERS		ALL = (root) NOPASSWD: /bin/su - ssh1sgp -c "/usr/bin/xclock"
I believe that's what you were looking for. All of that information can be found in the sudo manual I linked to you above.

It's best practice to provide the full path to binaries (i.e. /bin/ls rather than ls) when setting up your sudoers file to minimize the risk of a user executing sudo ls without a password outside of its intended purpose (namely a cron job or the like).

SAM

Last edited by sag47; 06-13-2012 at 09:06 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to start xclock in Linux for my oracle reports- for bar code printing anumoses Linux - Newbie 2 05-09-2011 02:47 PM
Unable to start xclock in Linux for my oracle reports- for bar code printing anumoses Linux - Server 4 04-15-2011 07:25 PM
xclock running from start script doesn't display correctly rikijpn Linux - Software 2 02-27-2011 12:36 PM
cannot start kdeas user ,can start icewm,fluxbox jackren Debian 1 03-01-2004 12:06 AM


All times are GMT -5. The time now is 01:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration