Hello. I searched the internet for answers and don't seem to find any for about a day now.
My problem. I want to su to a non-root account non-interactively, e.g. if I want to temporarily become prdusr, I want to su prdusr without keying prdusr's password every time.
What I want is something that works like sudo -S command where I can pipe a protected password file into sudo -S.
e.g. root has granted prdusr the power to kill any job so right now I can run script with the following commands to kill job without any password prompt :
cat passwd.txt | sudo -S prdusr kill $PID (where passwd.txt contains prdusr's password and $PID contains the process id to be killed)
I want to be able to switch to prdusr using similar strategy without the password prompt everytime.
Doesn't look like I can do this as most answers I found on the internet is for su root only.
Thank you for your reply. I am not the root here. Someone is. The prdusr is shared by the production support team. I am one of the team members who wants to write a little alias to avoid entering the password every time I su prdusr.
The password also changes once a month for prdusr so to eliminate the password prompt completely might not go well with the production support team and defeats the purpose of the password protected prdusr.
Is there anyway I can ask Root to make use of sudo -S and treat su prdusr as if temporarily executed as if I was root ?
Root grants prdusr priviledge to kill any job but when prdusr executes sudo kill, it still prompts for password of prdusr. So what I was hoping is
cat passwd.txt | sudo -S su prdusr would allow me to switch to prdusr without a password prompt if root grants su prdusr 'command' priviledge to prdusr ?
It is very confusing because su prdusr might not be a command to unix kernel and su prdusr executed by root doesn't require a password prompt which only comes from the nature of sudo setup.
Okay, I've managed to confuse myself. Does sudo ask you for your password, or prdusr's? If it asks you for yours, then its just sudo demanding the password and -S might work. But if it asks for pdrusr's, it's su asking for the password, not sudo, which seems to ignore redirects by reading from the terminal itself rather than stdin. An expect script might be useful, maybe.
Thank you to every one who looked into my question and responded.
I asked root the same question and he sugguested putting my unix account into sudo list to let me su prdusr without specifying a password.
He did that and it satisfies my requirement that I don't have to remember prdusr's password and have to enter it every time I su prdusr.
Now I just sudo su prdusr and no password prompt. My understanding of it is he temporarily lets my unix account has root priviledge when I sudo su prdusr only. If I su prdusr, there is still a prompt for prdusr password. If I su anyother user, I still need to supply that user's password.
I don't need to pipe a password.txt file to sudo su prdusr command. I meant to post this answer for everyone but your responses remind me to do this. Hope this thread would be useful for others too.
Are you 'sudo su prdusr' from another account other then prdusr? If YES this is a huge security risk if you are not using passwords. Not requiring a password when switching to this user means anyone could switch to this user and have the same rights. Big No No in the real world.
sudo is as dangerous as you make it. (sudo passwd, anyone?) Unless his sysadmin's completely crazy he'd have restricted sudo to only allow one or a handful of users to do this.
Thank you autocross.us for the ssh authentication suggestion. I saw that from my google search for this the other day so I will certainly keep that in mind for future.
This is just an old Solaris HP box that will be replaced in the near future and only a handful of programmers like myself are maintaining old sas applications on it.
So at the moment only root and myself can do this.
The original answer to my initial question was to eliminate prdusr password prompt altogether so limiting just myself and root to be able to su prdusr without the password prompt is a very good compromise for now as I switch to prdusr a lot during my work to submit/check jobs and monitor processes on the old box.
We have a sas problem that generate orphaned processes running forever daily.
I wrote a korn script to detect and auto kill these jobs but it only works partially by looking at very high CPU and no updates to saswork directories. But people can run very high cpu sas jobs without sort (updating their saswork directories) so my script is flawed. And now we are back to manual checking and emailing individual first before killing their jobs.
Just want to say, that the ssh authentication route is the probably the better route to go.
I implemented this and it works sometimes only and not always. I don't know what the problem is.
piping the from file into sudo -S kill -9 process-id doesn't work in an alias. I still get password prompts. Implementing that in a batch korn script works sometimes but not always.