Execute Script as a different user and not root
Situation:
I would like to execute shellscript directly from the web gui. Shellscript is owned by user "tux". Since my webserver is running as apache, I cannot execute tux shellscript. OS: CENTOS
What I have tried:
su -c "/opt/tomcat/bin/shutdown.sh" -s /bin/sh tux
I tried different ways mentioned - this is how it worked when I was logged in as root user.
Question:
Is there a way to do the same without being root? Something like a command where I can pass the user AND his password to execute the script.
I can't just change the ownership of the script because it depends on the tux profile (other files, directories).
Many thanks for your help!
edit: I had to edit the example as it was wrong.
source to share
Try the following:
echo "$pass" | sudo -S -u $user script
$pass
- password, $user
- the user who wants to run the script. (This user must have permission to run the script.)
If yours user
doesn't have permission, try running the group:
echo "$pass" | sudo -S -g $group script
This group must have permission to run the script.
Note. Passing a password like this is not a good idea.
If your user cannot use sudo:
If your user cannot use sudo, then you cannot run the script by switching users from sudo. You should consider executing the script with this user account other than sudo. And for that, that user must have permission to execute the script.
One way to do this is to change the script permission to 755
(from sudo user):
Then you can execute the script by entering the path into the terminal. (if your script depends on a relative path, make sure to go cd
to the parent directory of the script before running)
Note. This will allow any user to execute the script (without any authentication)
Another way is to add a non-sudo user to a group that has permission to execute the script:
In this case, permissions such as:
chmod ug+rwx,o-x+r script
#read write xecute permission to user and group and readonly to others
and
chmod u+rwx,g+rx,o-x+r
#read write xecute to user and rx to group and readonly to others
and so on where the group is allowed to execute the file will do the trick. This is more secure than using permission 755
.
Steps to follow with this process:
1. Log into a user account that has sudo privillege.
2. Change the permission of the script as only the user and group will be allowed to execute the script.
Example:
chmod u+rwx,g+rx,o-x path/to/the/script
3. Add a non-sudo user to the current user group:
sudo usermod -g $USER non_sudo_user_name
#you don't need to edit $USER, only non_sudo_user_name
4. Enter a new username in the non sudo user account.
You can now execute your script by running:
/path/to/the/script
Note. If your script depends on a relative path, you may need cd
to go to the parent directory of the script before running it.
source to share
You can add the user tux
in /etc/sudoers
with NOPASSWD
so that he can run sudo
without a password prompt.
eg. add this to the end /etc/sudoers
to allow any command to be executed without a password (note that there is a dedicated tool for this - visudo
):
tux ALL=(ALL) NOPASSWD: ALL
Or, a more limited way - only allow this for your script:
tux ALL = NOPASSWD: /opt/tomcat/bin/shutdown.sh
After that, check that the changes are in effect by running any command from the terminal, for example:
sudo id
and it shouldn't ask for root password.
UPDATE:
To have Apache run a script owned by another user (for example tux
), add this line to sudoers
:
www-data ALL=(ALL) NOPASSWD: /bin/bash /opt/tomcat/bin/shutdown.sh
Then you can run it without a password:
sudo -u tux /opt/tomcat/bin/shutdown.sh
Also, check the following:
source to share