Switching to user to stop db

Hi all, I have a script that I will need to run occasionally to stop my db2 instance-

stopDB2.sh

su -l -c "db2 force application all"
su -l -c "db2 terminate"
su -l -c "db2 stop"
su -l -c "db2licd -end"

This works when I su to the instance owner (archive), and run each line. I need to do this as a script so that root can run it, and I can possibly call it from other scripts.

jeff@rhel73 [01:22:42] ~/startup/ ->./stopDB2.sh
Password:
su: Authentication failure

What is the best way to do this?

setup a passwordless authentication first

Within /etc/pam.d/su-

auth            [success=ignore default=1] pam_succeed_if.so user = archive
auth            sufficient      pam_succeed_if.so use_uid user = archive

I am still prompted for password.

Looking at your command prompt, you're logged in as jeff, yet the PAM config is looking for archive?

Would it not be better to use the wheel group rather than individual users?

auth           sufficient      pam_wheel.so trust use_uid

Could it be neater to use sudo to run your script? You can write a rule (use visudo) to allow specific users or groups to run it. You could then have a calling script or even an alias that just contains:-

sudo -u username /path/to/stopDB2.sh

Does this offer a useful alternative?

Robin

As an example of rbatte1 is talking about you can have this code near the top of your stopDB2.sh file:

username=`/usr/bin/whoami`
if [ "$username" != "archive" ]
then
   exec sudo -u archive "$0" "$@"
fi

Now setup a group for your database administrators eg (dbadmin) and set the permissions on /usr/local/bin/stopDB2.sh file as r-x for group dbadmin

Then have the following sudo configuration entry to allow group dbadmin to run stopDB2.sh as user archive without password (remember to only ever use visudo to edit your sudo configuration)

%dbadmin ALL=(archive) NOPASSWD: /usr/local/bin/stopDB2.sh

Then your dbadmin users should be able to simply run stopDB2.sh without even needing to remember to invoke it with sudo