The "usera ALL" tells sudo that usera on any server (ALL) my run this command
The "(userb)" tells sudo that the command can only be run as userb (not the default of root)
The "NOPASSWD:" tells sudo not to prompt for usera's password like it normally would (unless otherwise configured elsewhere)
Some traps to watch for:
sudo does funny things with the environment, if your other shell script (the one being called as userb) is expecting environment variables to be properly set for userb, you might find it goes wrong. Things like PATH and HOME can surprise you.
I typically set any variables I need explicitly in the top of shell scripts being called by cron or sudo to prevent these issues.
If this is a big problem for you, you can add a layer of indirection and use "su - userb -c /full/path/to/anotherShellScript.sh" to have it load userb's environment before running the script.
Resulting sudo call in your first script would be:
Code:
sudo su - userb -c /full/path/to/anotherShellScript.sh
You would now be running the su - command as root, then having it in turn select userb.
The line to your sudoers config file would change to:
The "(root)" bit isn't technically required, but I've done it that way to try and demonstrate what is changing between the two solutions.
As RudiC mentions, your company security policy will have an opinion (possibly a very strong opinion) on this. In some outfits, breaching this is bad enough to get you met at the door by security holding all your things in a black plastic rubbish bag ie, find out if it's cool to do this before you actually do it.
Be careful with the permissions on /full/path/to/anotherShellScript.sh and how well it's written as you've effectively made this script run with elevated privileges. If usera can find a way to change the content of this script, or if the script is written badly enough that someone can break out of it into a shell while it's running, you could be granting usera carte-blanc access to run things as userb (thus the security policy comment above). Assume the other users on the box and usera are all determined to destroy your server and/or bring down the company while writing the script and you'll have the appropriate level of paranoia.
Last edited by Smiling Dragon; 01-04-2013 at 10:09 PM..
I've written a shell script to alter a particular preference file on OS X (10.3.9), which works fine (tested by running the script from the terminal sat in front of the box).
Problem is, I now have to run this script remotely across a number of machines via remote desktop, so where I've used the... (1 Reply)
I need to create an automated script where I have to use sudo to switch to multiple user so the script stops and prompts for password, Is there a way I can provide the password in same command only?
Remember that, I cannot disable the password settings of sudo as I dont have rights. (4 Replies)
I'm making a script that will be a double clickable .command file and I need it to prompt for the users admin password.
So far I have:
if ]; then
sudo -p "Please enter your admin password: " date 2>/dev/null 1>&2
if ; then
echo "You entered an invalid password... (2 Replies)
Hello
I have a partition with Aix 5.3 and I install sudo
I put the commands that I want to use x user and I put the option that donkask for password.
But when I run with this user and I try to run that commands. ask me for a password.
I put this line for no ask for password with that... (2 Replies)
salmo allikm warhmat allah wabrakato
i want to do script with sudo like
sudo su and want to put password in the script not get from user because i to made it startup when booting and i don't know how put in script for sudo
thanks (5 Replies)
I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this:
#!/bin/bash
rsync /path/on/local/machine/ foo.com:path/on/remote/machine/
ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Little confused here
When i go to run sudo nohup ./script.ksh &
I dont get asked for a password.
It starts a process ID, I can see it when i do a ps -ef | grep script.
But I dont get an output file from my script, so its not doing anything.
What gives?
does it have to do the "&" ?
... (4 Replies)
I am not sure what I am missing here. I have the following identical entry in /etc/sudoers on multiple Red Hat 6.4 servers.
icinga ALL=NOPASSWD:/usr/bin/yum --security --exclude\="kernel*" check-update
On one server when I enter the command over SSH as follows it works fine.
ssh -t -q... (1 Reply)
in the /etc/sudoer file this line was added:
wtolentino ALL=(ORACLE) NOPASSWD: /bin/chmod
when i tried to run this command
sudo -u oracle /bin/chmod 775 /appshared/applications/lpa/executables/chrpt001.rep
it prompts me for a password
for example:
$ pwd
/appshared/applications/lpa... (2 Replies)
01-04-2013
ie, find out if it's cool to do this before you actually do it.