linux - Run startup script with another user
2014-07
I have two users user1
and user2
. And tomcat has owenership of user1
and started with user1
only.
I need to make a rule for user2 such that user2
can starts/stop tomcat but tomcat should always be started with user1
.
I have tried following command
su -c "./catalina.sh start" user1
But this requires user1's password. Another thing that i have tried is entry in sudoers file :
user2 ALL=(user1) NOPASSWD: /opt/Tomcat/bin/startup.sh,/opt/Tomcat/bin/shutdown.sh
[user2@DRWJHK bin]$ sudo /opt/Tomcat/bin/startup.sh
Sorry, user user2 is not allowed to execute '/opt/Tomcat/bin/startup.sh' as root on localhost.localdomain.
Still I am unable to start tomcat as user1. Please help me solving this requirement.
With sudo, you need to pass the -u option. Try:
sudo -u user1 /opt/Tomcat/bin/startup.sh
Ok, here's my problem - Please don't yell at me for being insecure! :) This is on my host machine. I'm the only one using it so it's fairly safe, but I have a very complex password that is hard to type over and over. I use the console for moving files around and executing arbitrary commands a LOT, and I switch terminals, so sudo remembering for the console isn't enough (AND I still have to type in my terrible password at least once!) In the past I have used the NOPASSWD trick in sudoers but I've decided to be more secure. Is there any sort of compromise besides allowing no password access to certain apps? (which can still be insecure) Something that will stop malware and remote logins from sudo rm -rf /-ing me, but in my terminals I can type happily away? Can I have this per terminal, perhaps, so just random commands won't make it through? I've tried running the terminal emulations as sudo, but that puts me as root.
Try adding this to your sudo
options:
Defaults timestamp_timeout=0, tty_tickets
tty_tickets
option (on by default) will make sudo
ask password if it was not asked previously in that particular tty (including terminal emulators ptys), and timestamp_timeout=0
option will make it not ask it again in the whole session.
So, when you want to do some administrative operations, you can open terminal, sudo something, close it, and you will be safe again.
The obvious solution to me is to reduce the complexity of your password. You seem happy to go for no password rather than a long, complex one, so why not look at this middle ground as a valid option?
If your machine is connected to a network then there is a risk of compromise. With no password, you do open yourself up to opportunistic exploitation, so even a simple password offers extra security.
The most secure alternative to using no password is to use an alternative authentication method via PAM. You could, for instance, use a smartcard reader. You'd simply insert the card before using 'sudo', and remove it when done. There is even a PAM module for voice authentication. If you can't find a PAM module that you like and you're not comfortable with C, there are Python bindings.
Check out this list of PAM modules.
Set rootpw
on your /etc/sudoers
:
Defaults rootpw
Give root
a simpler password than yours.
Remember to forbid root
on ssh
, in case you have installed an ssh
server.
If your horrible password is to protect your files, then they are really protected only if they are encrypted, otherwise this is just "security theater". Assuming this is why you wanto to keep the big one, you will be safe: breaking root
's password still won't be enough to decrypt your files, and any kind of malware will fry our CPU before guessing the password.
A different approach to /etc/sudoers
and such would be sudo -i
and staying root
. For example, if you use GNU screen, you can have one window as regular user and a second, where you issue sudo -i
and stay root.
If your ~/.screenrc
looks like this, issuing screen
automatically opens you two "tabs" accordingly:
hardstatus alwayslastline "%w"
screen -t normal
screen -t root sudo -i
in /etc/sudoers (visudo) add a line like this:
uberjim ALL = (ALL) NOPASSWD:ALL
then as your user, once logged in (with your secure password) you can just type:
sudo /cmd/you/want/to/run
No password required :) Have fun