Switch User- No Passwd
All servers mentioned below run OpenSuSE, either 10 or 11.
I am currently working on a few scripts that are meant to be used as part of a continuous integration setup. I am trying to keep these scripts reasonably secure, and so I have made sure that all the servers run these scripts only as a specific user (user1) that has permissions to basically nothing else. The problem I am currently running into is that I need to start and stop tomcat as user1 but this user doesn't have permissions to the tomcat directory (only tomcat has execute permissions). I have a temporary workaround in place while I work on the scripts (I have an SSH key in place that allows me to SSH from user1 to tomcat without a password and execute my commands that way) but it is not very secure. I have tried adding the following line to /etc/sudoers: Code:
tomcat localhost = NOPASSWD: /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh p.s.- I need a way to actually execute commands as a different user in general- I have other uses for this in these scripts aside from simply starting and stopping Tomcat. |
Quote:
Code:
# Define Cmnd_Aliases makes it easier to manage (groups of) services (later on): Quote:
|
I second
sudo is the tool made for what you are trying to do. The man pages MAY be sufficient, but there are more complete documents and tutorials online.
|
Quote:
Quote:
Thanks for the help so far! |
Actually, sudo allows one user to execute commands as another user; period.
Whether it asks for a passwd or not depends on the NOPASSWD option being set or not. Note also that it asks for the passwd of the src user, NOT root's passwd. (If using the 'su -' cmd, it asks for the passwd of the target user, which may or may not be root...) |
sudo
And to amplify a bit, sudo NEVER requires the root password.
When and if it requests a password, it is asking for the password of the user who called sudo. NOT root, and NOT the target user. hint: If you have multiple lines in the sudoers file that may authorize the same command, one with nopass and one without, the order is important. |
...and to add to that maybe try an explicit 'sudo -u tomcat /opt/tomcat/bin/shutdown.sh'?
|
All times are GMT -5. The time now is 11:36 PM. |