Passwordless su in a Bash Script?

Sniperm4n · 06-19-2012, 07:34 PM

I've run into a dilemma while migrating a Hadoop installation from Oracle Enterprise Linux to Ubuntu. The prior developer put the following command into rc.local within OEL:

su reporter -c "cd /path/to/directorywithscript && bash runwebserver.sh >> /dev/null 2>&1&"

I need the above webserver to automatically start (and stop) in Ubuntu as the specified reporter user (the automation stuff is MUCH less important than getting this script to properly run as the reporter user, but is a "nice to have" feature). This process needs to start last, as I still need to configure a couple of other Hadoop-related scripts to automatically start before this one (the webserver resides in the Hadoop filesystem, which doesn't get mounted until after you're in the OS). Every time I issue the su command I get asked for a password. This occurs regardless of which user is currently "active" and wasn't a problem in OEL since the Root user is actually used. Here is my current attempt at a /etc/sudoers file, but it's still not working (I'm unsure if the changes I made at the bottom are correct):

Code:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# User privilege specification
root    ALL=(ALL) ALL
user3 ALL=(ALL)NOPASSWD:/bin/su
user2 ALL=(ALL)NOPASSWD:/bin/su
user1 ALL=(ALL)NOPASSWD:/bin/su
reporter ALL=(ALL)NOPASSWD:/bin/su

This is a duplicate of a thread I posted over at UbuntuForums.org (http://ubuntuforums.org/showthread.p...1#post12040341), but I'm getting desperate for an answer =P. Please note that my Linux knowledge is still weak (I knew almost no Linux before this project was dropped in my lap). Any help is greatly appreciated as this is currently a major stumbling block!! =)

Thanks,
-Snipe

catkin · 06-20-2012, 05:01 AM

Unless ubuntu have done something weird, rc.local is run with root privileges during boot and the su reporter -c command should work.

You could try removing >> /dev/null 2>&1 and rebooting to see if that generates any helpful error messages. The final & may be required so safest to leave it there or rc.local may not run to completion.

In case ubuntu does not display or log the boot messages, you could change >> /dev/null 2>&1 to something like >> /var/log/runwebserver.log 2>&1

Sylvester Ink · 06-21-2012, 12:26 AM

Okay, I think I may have a solution for you.

***
In your sudoers file, add the following line:
sniper ALL=(reporter) NOPASSWD: ALL

Where "sniper" is your username. This means that the user "sniper" will be given permission on "ALL" hosts to run "ALL" commands as the user "reporter" without requiring a password. (More on this below.)

***
In order to run the command, you would type in the following line (when logged in as "sniper"):
sudo -u reporter -i /home/reporter/somescript

The -u argument tells sudo to execute the following command as the user "reporter." The -i argument tells sudo to log in as the user "reporter" when executing the command. "somescript" is a bash script in the directory /home/reporter.

***
Inside of somescript (or whatever you decide to name it), you can put the following two lines:
#!/bin/bash
cd /path/to/directorywithscript && bash runwebserver.sh >> /dev/null 2>&1&

Also, be sure to "chmod 755 somescript" in order to make it executable. The reason to put this in a bash script is that it results in less typing for you. You can type the full line in otherwise, but work smarter not harder etc etc.

This is the quickest way to get things working the way you want, but it may not be the most ideal. For one, any command can be run as reporter by using the above command. In fact, the command "sudo -u reporter -i" (exactly as it is) will log you in as the user "reporter," which may be giving away too much access to reporter's account. However, this is necessary as full access is required to run any login scripts that reporter has, as well as any commands in the script files. There are probably other, more secure ways to do this, but it would require a different approach than what you're using.

In any case, it should do what you want it to do. Be sure to check out the Sudoer's Manual for more info:
http://www.gratisoft.us/sudo/sudoers.man.html

Good luck!
[EDIT]Catkin's solution is closer to what you would want to do in a server environment, so if possible, use that solution first. The page wasn't reloaded from when I first opened it, so I didn't see his response before I posted mine.[/EDIT]

Sniperm4n · 07-05-2012, 12:02 PM

Thank you to everyone for your in-depth responses! Unfortunately, the project has been terminated (with the finish line in sight) and I can't test this any further. Yay for corporate B.S.! =/