Home / ubuntu / Questions / 153326
In Process
Sniperm4n
Asked: 2012-06-20 16:13:09 +0800 CST

Passwordless su in a Bash script?

  • 772

I've run into a dilemma while migrating a Hadoop installation from Oracle Enterprise Linux to Ubuntu. The prior developer put the following command into rc.local within OEL:

su reporter -c "cd /path/to/directorywithscript && bash runwebserver.sh >> /dev/null 2>&1&"

I need the above webserver to automatically start (and stop) in Ubuntu as the specified reporter user. (The automation stuff is much less important than getting this script to properly run as the reporter user, but is a "nice to have" feature.)

This process needs to start last, as I still need to configure a couple of other Hadoop-related scripts to automatically start before this one (the webserver resides in the Hadoop filesystem, which doesn't get mounted until after you're in the OS). Every time I issue the su command I get asked for a password. This occurs regardless of which user is currently "active" and wasn't a problem in OEL since the Root user is actually used. Here is my current attempt at a /etc/sudoers file, but it's still not working (I'm unsure if the changes I made at the bottom are correct):

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# User privilege specification
root    ALL=(ALL) ALL
user3 ALL=(ALL)NOPASSWD:/bin/su
user2 ALL=(ALL)NOPASSWD:/bin/su
user1 ALL=(ALL)NOPASSWD:/bin/su
reporter ALL=(ALL)NOPASSWD:/bin/su

This is a duplicate of a thread I posted over at UbuntuForums.org (http://ubuntuforums.org/showthread.php?p=12040341#post12040341), but I'm getting desperate for an answer =P. Please note that my Linux knowledge is still weak (I knew almost no Linux before this project was dropped in my lap). Any help is greatly appreciated as this is currently a major stumbling block!

Thanks, -Snipe

bash

2 Answers

  1. Your current edits to /etc/sudoers effectively let user1, user2, user3, and reporter perform any action as root (since running su lets you become root)! You almost certainly do not want this. And this doesn't help your current problem at all, because you don't want those users to run something with an alternate identity, you want root to run something with an alternate identity. Before proceeding, I recommend getting rid of those lines from /etc/sudoers (edit it with visudo of course) unless you're absolutely sure that's what you want.

    If you're a non-root user and you run this, you will always be asked for a password:

    su reporter -c "cd /path/to/directorywithscript && bash runwebserver.sh >> /dev/null 2>&1&"

    But when root runs that, it should simply succeed (assuming it worked before on Oracle Enterprise Server and the only relevant difference is that root login is disabled on Ubuntu).

    When you put that line in rc.local, in any GNU/Linux distribution, including Ubuntu, it is run as root. It should just work. When you run it from the command-line, it will not work. But in rc.local, it should just work.

    If you want to test it from the command-line, give yourself a root shell of the kind pretty similar to rc.local's environment:

    sudo -i

    (This simulates an initial root login shell. Normally, for a root shell, use sudo -s. And of course, to run a command ... with sudo, just use sudo ....)

    su -c and sudo take different syntax, so if you did want to make that command use sudo instead of su, you'd have to make additional changes. The easiest way is probably:

    sudo -u reporter bash -c "cd /path/to/directorywithscript && ./runwebserver.sh >> /dev/null 2>&1&"

    However, I emphasize that you do not need to convert su commands to sudo for them to run properly out of rc.local.

    In Ubuntu, unlike Oracle Enterprise Server, logging in as root is disabled by default (and you almost certainly shouldn't enable it). But su still works when run by root. su also works for a non-root user changing identity to another non-root user.

    If you have this line in rc.local and it's not working, the reason isn't issues of sudo vs. su. In that case, something else is going wrong. For us to troubleshoot it, you'd have to provide the contents of runwebserver.sh.

    Finally, please note that bash runwebserver.sh >> /dev/null 2>&1& is rather inelegant. It's simpler to understand (and, much less importantly, looks nicer) to use bash runwebserver.sh &>> /dev/null. You said this runs last in rc.local, so you don't have to use & to background it.

    However, you should consider if you really want to suppress standard error as well as standard output (as you're currently doing). Presumably if something is written to standard error then it's either important or can be suppressed by altering your web server's verbosity settings.

    • 2

  2. If you don't want to be asked for a password you will have to use to execute su as root, so you will have to use:

    sudo su reporter -c "cd /path/to/directorywithscript && bash runwebserver.sh >> /dev/null 2>&1&"

    However, i think what you are trying to do is a realy bad idea, you are allowing every user to log in as anyone else, including root.

    • 0