Passwordless su in a Bash script?
Your current edits to /etc/sudoers
effectively let user1
, user2
, user3
, and reporter
perform any action as root
(since running su
lets you become root
)! You almost certainly do not want this. And this doesn't help your current problem at all, because you don't want those users to run something with an alternate identity, you want root
to run something with an alternate identity. Before proceeding, I recommend getting rid of those lines from /etc/sudoers
(edit it with visudo
of course) unless you're absolutely sure that's what you want.
If you're a non-root
user and you run this, you will always be asked for a password:
su reporter -c "cd /path/to/directorywithscript && bash runwebserver.sh >> /dev/null 2>&1&"
But when root
runs that, it should simply succeed (assuming it worked before on Oracle Enterprise Server and the only relevant difference is that root
login is disabled on Ubuntu).
When you put that line in rc.local
, in any GNU/Linux distribution, including Ubuntu, it is run as root
. It should just work. When you run it from the command-line, it will not work. But in rc.local
, it should just work.
If you want to test it from the command-line, give yourself a root
shell of the kind pretty similar to rc.local
's environment:
sudo -i
(This simulates an initial root
login shell. Normally, for a root
shell, use sudo -s
. And of course, to run a command ...
with sudo
, just use sudo ...
.)
su -c
and sudo
take different syntax, so if you did want to make that command use sudo
instead of su
, you'd have to make additional changes. The easiest way is probably:
sudo -u reporter bash -c "cd /path/to/directorywithscript && ./runwebserver.sh >> /dev/null 2>&1&"
However, I emphasize that you do not need to convert su
commands to sudo
for them to run properly out of rc.local
.
In Ubuntu, unlike Oracle Enterprise Server, logging in as root
is disabled by default (and you almost certainly shouldn't enable it). But su
still works when run by root
. su
also works for a non-root
user changing identity to another non-root
user.
If you have this line in rc.local
and it's not working, the reason isn't issues of sudo
vs. su
. In that case, something else is going wrong. For us to troubleshoot it, you'd have to provide the contents of runwebserver.sh
.
Finally, please note that bash runwebserver.sh >> /dev/null 2>&1&
is rather inelegant. It's simpler to understand (and, much less importantly, looks nicer) to use bash runwebserver.sh &>> /dev/null
. You said this runs last in rc.local
, so you don't have to use &
to background it.
However, you should consider if you really want to suppress standard error as well as standard output (as you're currently doing). Presumably if something is written to standard error then it's either important or can be suppressed by altering your web server's verbosity settings.
Related videos on Youtube
Sniperm4n
Updated on September 18, 2022Comments
-
Sniperm4n over 1 year
I've run into a dilemma while migrating a Hadoop installation from Oracle Enterprise Linux to Ubuntu. The prior developer put the following command into
rc.local
within OEL:su reporter -c "cd /path/to/directorywithscript && bash runwebserver.sh >> /dev/null 2>&1&"
I need the above webserver to automatically start (and stop) in Ubuntu as the specified
reporter
user. (The automation stuff is much less important than getting this script to properly run as thereporter
user, but is a "nice to have" feature.)This process needs to start last, as I still need to configure a couple of other Hadoop-related scripts to automatically start before this one (the webserver resides in the Hadoop filesystem, which doesn't get mounted until after you're in the OS). Every time I issue the
su
command I get asked for a password. This occurs regardless of which user is currently "active" and wasn't a problem in OEL since the Root user is actually used. Here is my current attempt at a /etc/sudoers file, but it's still not working (I'm unsure if the changes I made at the bottom are correct):# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification # Allow members of group sudo to execute any command after they have # provided their password # (Note that later entries override this, so you might need to move # it further down) %sudo ALL=(ALL) ALL # #includedir /etc/sudoers.d # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # User privilege specification root ALL=(ALL) ALL user3 ALL=(ALL)NOPASSWD:/bin/su user2 ALL=(ALL)NOPASSWD:/bin/su user1 ALL=(ALL)NOPASSWD:/bin/su reporter ALL=(ALL)NOPASSWD:/bin/su
This is a duplicate of a thread I posted over at UbuntuForums.org (http://ubuntuforums.org/showthread.php?p=12040341#post12040341), but I'm getting desperate for an answer =P. Please note that my Linux knowledge is still weak (I knew almost no Linux before this project was dropped in my lap). Any help is greatly appreciated as this is currently a major stumbling block!
Thanks, -Snipe
-
Sniperm4n almost 12 yearsLooks like the sudoers file I created is working as was mentioned in my original UbuntuForums.org post. The following code successfully changes users without a password prompt: [CODE]sudo su reporter[/CODE] I'm wondering if it's possible for me to just type "su reporter" while avoiding a password prompt?
-
Eliah Kagan almost 12 yearsThis line is in
rc.local
and runs asroot
already, so it's unnecessary (and does nothing differently) to putsudo
in front of it there. For testing the command, this makes sense, although it's not ideal because it tests the command with the current non-root
user's environment. (See my answer for details.) You're quite right that the currentsudoers
configuration seems to let every user become root, though, and that this is bad. At leastreporter
is presumably not an administrator, and intentionally so. -
Sniperm4n almost 12 yearsWow, thank you for the crazy in-depth answer Eliah! I'll thoroughly read this over and respond appropriately in the morning as I need to leave work right now =/.
-
Eliah Kagan almost 12 years@Sniperm4n The
reporter
line insudoers
is not why it is working, and should be removed. Presumablyreporter
is a deliberately limited non-root
user that runs your web server with deliberately reduced permissions. Assuming this is the case,reporter
should definitely not be able to run/bin/su
asroot
(as you currently have configured insudoers
). Furthermore, any administrator on your system can already usesudo
to run that or any other command asroot
; there's probably no good reason for youruser1
,user2
, anduser3
entries either. -
Sniperm4n almost 12 yearsAll of the users on the system are admins actually lol. The fortunate thing about this is that we're much less concerned about security due to the fact this is a pre-production cluster. I'll re-read and ponder your initial answer tomorrow morning! =)
-
Sniperm4n almost 12 yearsThank you to everyone for your in-depth responses! Unfortunately, the project has been terminated (with the finish line in sight) and I can't test this any further. Yay for corporate B.S.! =/