I have a web application that runs a program which needs X. I'm using xvfb to launch it; I want to run it as another user.
I could probably do sudo -u username -p password my command
. However, I'm not feeling too good about storing the users password in plain text.
Is there a "smarter" way of doing this?
Use suEXEC which allows a script to be run as the owner of the file, rather than the webserver user.
The way I've seen it done is to give the Apache user sudo privilege for just that one very specific command (apache2ctrl restart in our case). You don't need to use passwords, if you're storing it in plaintext somewhere that Apache user can read then you may as well not have one.
Unless of course you need to run multiple different commands through Sudo as the Apache user. That could get awkward if you're having to add sudo privileges for each of the commands.
If you need to do this outside of Apache at any point, here is a more general solution.
To allow one user to repeatedly run a specific command as another user you could create a shell script owned by that user with the setuid bit enabled that simply runs the command you need. Make sure you only make the script executable by trusted users by setting the group ownership to the apache group (make sure no other users are in this group) and disabling execute permission for all others besides the apache group and your user.
An example:
A bit late to answer now, perhaps, but I feel that the
NOPASSWD
feature ofsudo
need to be mentioned.For instance, in
/etc/sudoers
(assuming apache is the user running the web server):And invoke
sudo -u username my_command
. No need to store the password, and you only allow the web server to executemy_command
as username.The user
username
can still keep its password.