[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4326
  • Last Modified:

To execute certain commands in a script using a different unix account.

I have a korn shell script (main.sh) owned by unix account "A". I want to execute certain lines in the script using another user "B" (with user "B" login profile). I need to do this way for multiple lines to be executed using different unix accounts in main.sh.
I was trying to use "su - <account>" but it prompts me for password in interactive mode. How do I write main.sh script that executes various commands by logging in as different accounts and login profiles. Is there a way to automatically redirect the password for "su" command to accept the password.

Unix is Sun Solaris.

Thanks,
Sathiyakum.
0
sathiyakum
Asked:
sathiyakum
  • 3
  • 2
  • 2
  • +3
1 Solution
 
TintinCommented:
You should use sudo.  sudo is a tool that allows you to give controlled privs to certain users.

Download from http://sunfreeware.com/
0
 
brettmjohnsonCommented:
You will need to break the "certain lines" out into a separate script and make that script a "setuid" script owned by user "B".   Setting the "setuid" bit allows programs to execute as the owner of the program, rather than the user.  However setuid shell scripts are considered a security risk and several flavors of Unix explicitly prohibit setuid shell scripts (Linux and Mac OS X 10.3.9+).

http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html

0
 
yuzhCommented:
sudo is the way to go.

You can aslo download "expect" from:
http://sunfreeware.com/

then use "autoexpect" to create an expect script to  handle the password

put the lines of command in a script, and use a expect script to run the script.
(better to do: su - username -c command")

in the mainscript, call the expect script.

Have a look at the following page to learn more about expect:
http://expect.nist.gov/
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
moshkinoCommented:
You can set-up passwordless ssh into the same host with a different username. When this is setup do
ssh  <username>@<localhost> <command>
0
 
Hanno P.S.IT Consultant and Infrastructure ArchitectCommented:
Assume a script like this:
#!/bin/sh
some
lines
 . . .
certain
lines
 . . .
some
more
lines

To execute the "certain lines" with a different user, put these in a sub-shell to be run with that user:
#!/bin/sh
some
lines
 . . .
su - user -c ( certain
  lines )
 . . .
some
more
lines
0
 
yuzhCommented:
>>Does Solaris allow scripts to be setuid? Are they safe?
   setuid consider as security hole in the system, most of the sys adms (including me)
will not allow to have it on the system.
0
 
brettmjohnsonCommented:
> Does Solaris allow scripts to be setuid?

AFAIK, yes.


> Are they safe?

Setuid shell scripts are considered unsafe because the scripting environment
itself is exploitable.  There are steps you can take to make it less exploitable.
See the FAQ I linked to in my previous answer.  Generally, when I have written
SETUID shell scripts, I kept them small (the "few lines" alluded to in the posted
question), I followed the recommended precautions, I used explicit paths for
external commands, and the SETUID user had reduced privileges (no SETUID
root scripts allowed).


> I like the 'expect' and local-host-different-user-login approaches.

This has the serious side effect that password for the SETUID user is stored
in an underprivileged file - the current user needs read permissions on the
file in order for expect to function.  (Unless, of course, you run expect itself SETUID.)
If the current user has read permissions on the file containing the password,
then that user can learn the password.

Similarly, using sudo without expect requires the current user to know the
other user's password.  These approaches, where the current user must
know or can learn the other user's password, are generally unacceptable -
especially if the other user has elevated privileges.

0
 
TintinCommented:
By default, all Solaris systems do not allow SUID scripts.
0
 
yuzhCommented:
>>Similarly, using sudo without expect requires the current user to know the
other user's password.  These approaches, where the current user must
know or can learn the other user's password, are generally unacceptable -

You can setup sudo to run command without password!

>>If the current user has read permissions on the file containing the password,
then that user can learn the password.


In the expect script, make loginname and password as commandline args, don't hard
code. (or make the script only readable by the owner).
0
 
moduloCommented:
PAQed with no points refunded (of 500)

modulo
Community Support Moderator
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now