How to switch user via shell script?

[Cool_Anupam]

Hi All,

I am new to this community.

I am writing a shell script to be run on RHEL4 on the bash shell. This script has to be run as a user other than 'root' and execute some commands.

One of the commands it uses, requires root priviledges. Now, I do not want to change the /etc/sudoers file or change the script permissions for that. The best way out is to temporarily switch to root user from the script, run the command, get the output and come back to the non-root user. I tried using 'sudo' and 'su' with some combination of options but the problem remains when the shell prompts for password. If I supply the password manually it does execute the command, but I want to give the password through the shell script which I am unable to do.

Can anyone give me a solution to this?

[vsemaska]

Putting a password in a script is a bad idea, especially if the password is for root. The 'su' command won't allow redirecting standard input from the terminal, you'll get this:

Code:

su - -c "df -h"<<++EOT++
+ su - -c 'df -h'
standard in must be a tty

What is the command you need to run as root? You could set owner of it to root and use the setuid so it'll run as root. If you go with this be very careful that you don't open you're system to attack.

[i92guboj]

Regardless of what you might think, using sudo is the most secure option because:

1.- You don't have to leave a password into a text script
2.- You will not be launching commands containing a password (they could be viewed by ANY use on the top or htop output)
3.- You don't have to modify the ownership or permissions on the involved binaries.

There's no easy way to feed su -c either, as vsmaska already told you.

[Cool_Anupam]

vsemaska, I agree that it is not a good idea to pass root password through script. I am open for another way round (if possible) by which I could run my command and stay away from passing the root password in open.

the command I want to use is 'pvs' or 'pvdisplay' which is a sub command of lvm2. It displays the physical volume information of the disks attached to the system.

[vsemaska]

Well the only way is to set up the user to use those commands via sudo. The commands /usr/sbin/pvs & /usr/sbin/pvdisplay are symlinks to /usr/sbin/lvm. So if you didn't want to use sudo you would have to setuid with the command:

Code:

chmod 4555 /usr/sbin/lvm

But that would be dangerous because it would allow a non-root user to use the other lvm commands like pvcreate.

[Cool_Anupam]

[code]
chmod 4555 /usr/sbin/lvm
[\code]

Thanks for the help, but it still does not solve the problem.
I tried this command by the non-root user, but it did not allow me to change the permission of lvm. I think this will work only as a root user.

Everything I have to do is on a non-root user because the script is ging to be run in normal user mode only. Therefore, any command not working in a normal user mode is not of much help.

I did not get the 'setuid' part though. I looked up this command but I believe it will also not work when I try to change the UID of a command from a normal user mode. Could you please explain it in a bit more detail...

[vsemaska]

Program lvm is owned by root so you would only be able to change its permissions as root. You would use the chmod command only once as root.

What the setuid does is described in the '# info coreutils chmod' as follows:

1. set the process's effective user ID to that of the file upon
execution (called the "setuid bit"). No effect on directories.

Since lvm is owned by root, by using the setuid will cause lvm to be run as root regardless of who runs it.

I tend to use the numeric mode of chmod so to set user ID on execution the value is 4000. In Symbolic mode the command would be:

Code:

chmod u+s /usr/sbin/lvm