LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 12-20-2010, 05:08 PM   #1
Tyler_H72
Member
 
Registered: May 2008
Distribution: OpenSuSE
Posts: 65

Rep: Reputation: 15
Switch User- No Passwd


All servers mentioned below run OpenSuSE, either 10 or 11.

I am currently working on a few scripts that are meant to be used as part of a continuous integration setup. I am trying to keep these scripts reasonably secure, and so I have made sure that all the servers run these scripts only as a specific user (user1) that has permissions to basically nothing else. The problem I am currently running into is that I need to start and stop tomcat as user1 but this user doesn't have permissions to the tomcat directory (only tomcat has execute permissions). I have a temporary workaround in place while I work on the scripts (I have an SSH key in place that allows me to SSH from user1 to tomcat without a password and execute my commands that way) but it is not very secure. I have tried adding the following line to /etc/sudoers:
Code:
tomcat localhost = NOPASSWD: /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh
but it doesn't work as I expected it to. I tried a few different syntaxes for that line, but the man file was a little confusing and I'm not sure if the syntax was right. If anyone knows the proper syntax for this, or knows another way to su between users without a password prompt, I'd appreciate it.

p.s.- I need a way to actually execute commands as a different user in general- I have other uses for this in these scripts aside from simply starting and stopping Tomcat.
 
Old 12-20-2010, 06:50 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by Tyler_H72 View Post
If anyone knows the proper syntax for this,
Should go something like this:
Code:
# Define Cmnd_Aliases makes it easier to manage (groups of) services (later on):
Cmnd_Alias TOMCATSVC = /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh
# Allow "user1" to run on host "HOSTNAME" any command defined in the TOMCATSVC Cmnd_Alias as user "operator" w/o password:
user1 HOSTNAME = (tomcat) NOPASSWD: TOMCATSVC

Quote:
Originally Posted by Tyler_H72 View Post
or knows another way to su between users without a password prompt
You don't want to 'su' freely between users. Sudo already allows one user to execute commands as other users and w/o password.
 
Old 12-20-2010, 07:08 PM   #3
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,360

Rep: Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452
I second

sudo is the tool made for what you are trying to do. The man pages MAY be sufficient, but there are more complete documents and tutorials online.
 
Old 12-21-2010, 11:58 AM   #4
Tyler_H72
Member
 
Registered: May 2008
Distribution: OpenSuSE
Posts: 65

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
Should go something like this:
Code:
# Define Cmnd_Aliases makes it easier to manage (groups of) services (later on):
Cmnd_Alias TOMCATSVC = /opt/tomcat/bin/startup.sh, /opt/tomcat/bin/shutdown.sh
# Allow "user1" to run on host "HOSTNAME" any command defined in the TOMCATSVC Cmnd_Alias as user "operator" w/o password:
user1 HOSTNAME = (tomcat) NOPASSWD: TOMCATSVC
I have put this code into my /etc/sudoers file and changed the username and hostname values to appropriate values, but I am still prompted for a password every time I try to run the command sudo tomcat /opt/tomcat/bin/shutdown.sh Is there something I need to run to get these changes loaded? I've tried logging out of the user meant to run the commands and logging back in, but that is apparantly not enough to load the changes.


Quote:
Originally Posted by unSpawn View Post
You don't want to 'su' freely between users. Sudo already allows one user to execute commands as other users and w/o password.
Sudo allows one user to execute commands as other users AFTER they have entered the root password- my goal is to not be prompted for a password at all, as there won't be anyone there to type it in, and I'm not putting it in my script.


Thanks for the help so far!

Last edited by Tyler_H72; 12-21-2010 at 01:20 PM.
 
Old 12-22-2010, 12:27 AM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,782

Rep: Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538Reputation: 2538
Actually, sudo allows one user to execute commands as another user; period.

Whether it asks for a passwd or not depends on the NOPASSWD option being set or not. Note also that it asks for the passwd of the src user, NOT root's passwd.

(If using the 'su -' cmd, it asks for the passwd of the target user, which may or may not be root...)
 
Old 12-22-2010, 07:04 AM   #6
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,360

Rep: Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452Reputation: 1452
sudo

And to amplify a bit, sudo NEVER requires the root password.
When and if it requests a password, it is asking for the password of the user who called sudo. NOT root, and NOT the target user.

hint: If you have multiple lines in the sudoers file that may authorize the same command, one with nopass and one without, the order is important.
 
Old 12-22-2010, 05:16 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
...and to add to that maybe try an explicit 'sudo -u tomcat /opt/tomcat/bin/shutdown.sh'?

Last edited by unSpawn; 12-22-2010 at 05:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
user can't change user account passwd rcmonroig Linux - Newbie 3 11-09-2009 09:44 PM
user passwd varunkant Linux - Newbie 4 06-17-2008 01:47 PM
using passwd as a chroot'ed user - help! xlobsterx Linux - Software 1 04-14-2005 06:22 AM
RHEL3 user passwd help mufy Red Hat 1 01-28-2005 06:08 AM
user can change passwd kelper Linux - Software 3 08-28-2003 04:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 01:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration