su & sudo within bash script

[cejohnsonsr]

This is an odd sort of problem. I'm working on a script which handles disaster recovery for a system I'm developing. Part of the script will also be used for initial setup. It needs to require as little user interaction as possible. It also needs to be run as root during most of the process. The problem is that there comes a point where some of the software can't be compiled or installed as root. So root needs to su to a regular user who then has to sudo in order to compile & install the aforementioned software. After all this, the script needs to revert to it's original state, running as root.

i told you it was odd. I've never encountered a situation where root had to su to a normal user in order to sudo as root. I'm not quite sure how I want to proceed, but I'm open to suggestions.

Thanx,

Ed

[JohnGraham]

The problem is that there comes a point where some of the software can't be compiled or installed as root.

Why not? Is this some restriction the makers of the software place on you? Is it possible to change their scripts/build system to remove this restriction?

When I need automated scripts to run as root (but want to do as little as possible as the root user) I use the following system:

1. Write a script that does whatever you want done as the root user, say /usr/local/bin/do-stuff.
2. Make it writable only by the root user, but executable by everyone.
3. Add the following line in /etc/sudoers:
   %admin ALL=(ALL) NOPASSWD: /usr/local/bin/do-stuff

That way, someone in the group admin (which I am on my system) can run do-stuff using "sudo do-stuff" without having to enter a password, but they can't do arbitrary stuff because they can't edit do-stuff without a root password.

Of course, this is only as secure as your do-stuff script, so be cautious - this only works because the stuff I use it for on my system is stuff like auto-mounting specific file systems, which I'd be happy to let anyone do anyway (for those file systems, at least). You could always make the user that's allowed to run these scripts without a password be some user created specifically for the task, with some hard-to guess password so only root can become that user by using su... it's an option, I guess.

[cejohnsonsr]

Yes, the software is designed to be run by a normal user, & will refuse to compile for root. It's a security feature. I don't know if it could be defeated, but even if it could I wouldn't want to.

I already have a normal user in /etc/sudoers. I don't mind being prompted for a password occasionally. What I want to avoid is having to exit the script to perform a series of tasks manually. I'd also prefer not to have to call external scripts if at all possible.

One possiblity I'm considering is

Code:

su -c command user

where command is the sudo task & user is the normal user created for the purpose & listed in /etc/sudoers. I'm not sure if it will work. I'm still trying to determine a way to test it. It's a fairly simple task on the command line, but scripting has turned out to be somewhat convoluted.

Ed

[JohnGraham]

One possiblity I'm considering is

Code:

su -c command user

Ah yes, I'm over-complicating it if you want to do it the other way around - that should do it:

Code:

$ su 
Password: 
# su john -c 'id -u'
1000
#

[coopstah13]

also, if you want to run the command using the users environment rather than root, you should use -

Code:

su - user -c command