How to switch to different user inside a shell script and execute some command with the new user?
It's not a good idea to store passwords in scripts, or attempt to stream them into su
. The better approach is to use sudo
.
Since you're allowing USER1 to act as USER2 without a password, you can set up /etc/sudoers
like this:
USER1 localhost=(USER2) NOPASSWD: ALL
Then you can invoke sudo
as USER1 as follows:
sudo -u USER2 bash
If you want to lock it down a bit more, you can specify a script that the user is allowed to execute. The line in /etc/sudoers
might look like:
USER1 localhost=(USER2) NOPASSWD: /home/USER1/setup.sh
And you would call:
sudo -u USER2 /home/USER1/setup.sh
Note in this last example, I think that USER2 would need to have an actual shell configured in /etc/passwd
(i.e. NOT /bin/false
).
Rohith
Updated on June 04, 2022Comments
-
Rohith almost 2 years
I am currently logged into "SERVER1" with user "USER1", and i have placed my bash script here. This script has to switch to different user "USER2" on the same server "SERVER1" and execute some commands with the new switched user.
Note: USER1 is not a root user, so i need to specify the USER2 password inside the script, but in a encrypted format.
Please help me in achieving this..!
#!/bin/bash command1 command2 . . ... echo "PASSWORD" | su USER2 << EOF command1 command2 . . ...
Please note, i don't want to change any configuration files here to achieve this.
-
Rohith over 7 yearsya.. i know this. I was just trying to get it done without touching
/etc/sudoers
file, as i am not a root user to edit it. Thanks for the reply..! -
Jonathan Leffler over 7 years@Rohith: If there are painful limitations like "I can't add anything to
/etc/sudoers
", then you should list them in the question so that people can avoid giving you the obvious sensible answer when it doesn't meet your requirements because of the limitations. (There's also a difference between "don't want to" and "do not have permission to" w.r.t "edit configuration files".) If you can't hack/etc/sudoers
, you may need to exploreexpect
in combination withsu
or something similarly devious. That's not a good solution; it might be a better solution, though. -
paddy over 7 yearsIf you don't have root privileges on that system, then what business do you have executing commands as another user?
-
Rohith over 7 years@JonathanLeffler: Sure will try that.
-
Rohith over 7 years@paddy: I am from Automation Team, i don't have root privileges on the PROD servers, SysAdmins do. They might not agree to edit
/etc/sudoers
, will check with them. Thanks..! -
paddy over 7 years
sudo
is definitely a better option. A grungier option would be to usessh
along with~/.ssh/config
to allow password-free sessions.