Hello
I am trying su from one user to another in a script. Now the person who runs the script(user) cannot have the password for the user he is su -ing to (webuser) .
Here is my script which performs su . This is a hack job based on a few hours of web search.
#!/usr/local/bin/expect
set pssword [lrange $argv 0 0]
spawn su - webuser -c /home/webuser/testwebuser.sh
expect "Password:" { send "$pssword\r" }
expect "# " { send "q" }
exit
as you can see the script has to run by passing the webuser password as a parameter as such:
./expectscript.sh PASSWORD
I would be passing the password using plink in an exe file.
All this works fine, I was wondering if there is a way to write the entire script I wrote in a single command format so that I can use it in the plink statement itself thus eliminating the need for ./expectscript.sh which basically calls another script testwebuser.sh?
if testwebuser is performing just a few tasks, would it be possible to eliminate both scripts and directly su to a differnt user and execute commands ( any other language/tool/ solution are also welcome)
example of plink command is
plink -ssh ip_addr_of_server -l user -pw userpassword "command to be executed"
where command to be executed can be
/home/user/expectscript.sh PASSWORD
the sudo utility is really the way to go here. Assume you want to start two background tasks "/usr/local/bin/service1 -start -b" and "/bin/service2 -Y" as user webadmin you could do it like this:
printf "Starting service one.."
sudo -u webadmin "/usr/local/bin/service1 -start -b"
echo
printf "Starting service two.."
sudo -u webadmin /bin/service2 -Y
echo
sudo has a configuration file (/etc/sudoers) where you would can allow testwebuser (or anyone in testgrp group for example) to run these two commands (and only these two) as user webadmin without prompting for a password:
Cmnd_Alias WEBSTART= /bin/service2, /usr/local/bin/service1
testwebuser ALL=(webadmin) NOPASSWD: WEBSTART
%testgrp ALL=(webadmin) NOPASSWD: WEBSTART
Hi Chubler_XL
My initial reaction was sudo as well. However the servers are managed by another datacenter and it is not possible for me to get them to add a sudo command for every time I think up a script.
The idea here is that other users performing testing in this environment can run certain scripts that I provide to them ( say a script to run jra recordings or restart a weblogic server) without knowing what they are running. I would keep providing them new scripts based on their requests. I do not have root access either, I only have access to webuser, while they log in as user.
Hence I need a flexible solution , which does not involve the datacenter getting involved.
Sudo is pretty flexable, you could get the datacenter to setup an cmd_Alias pointing to a certain directory (that you control) and allow any scripts in that directory to be run by "user" as "webuser"
Cmnd_Alias WEBSCRIPTS= /home/webuser/asme/
user ALL=(webuser) NOPASSWD: WEBSCRIPTS
If you have to provide a new script just put it in your ~/asme directory and away you go, just make sure you have tight restrictions on access to this directory and it's all pretty safe.
Thanks Chubler, will definitely give this a try. It was one of the things I was trying to look into, but couldnt figure out how to do it.
I will update the post, once I try it out
Thanks Chubler, this seems to work pretty well.