topic Re: su to another user in a script in Operating System - HP-UX

su to another user in a script

ken_5 — Thu, 01 May 2003 13:36:34 GMT

I know this is not something that can be done, however, I need to do it.
I have a simple script
test.sh
whoami

I do the chown and the chmod
chown usera test.sh
chmod 4555 test.sh

ll
-rwsr-xr-x 1 usera users 33 May 1 10:17 test.sh

now when I run the script when logged in as another users say userb it says that I'm userb. :) I need this to say usera so that I can use this script to move files into a directory protected by usera without giving permission to userb. The completed version of this script will be used to log the transaction and keep a protected history of the files going into that directory. Hope this makes sense, and thanks for your help. ;)

Re: su to another user in a script

Stefan Farrelly — Thu, 01 May 2003 13:48:50 GMT

Do it this way;

su - usera -c "/test.sh"

And that will run it properly as user usera.

Re: su to another user in a script

ken_5 — Thu, 01 May 2003 14:16:58 GMT

This command would require me to type the password for usera. That would allow userb to login directly to that account and execute the command without using the script. Is there a way to pass the password within the script?

Re: su to another user in a script

ken_5 — Thu, 01 May 2003 14:28:51 GMT

Just figured it out. There has to be a #!/usr/bin/sh on the first line of the script or it will fail to change to the new userid. Thanks for your help. :)

Re: su to another user in a script

Bill Douglass — Thu, 01 May 2003 14:43:13 GMT

Instead of a suid shell script (which is a security hole), try installing sudo

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.6/

and configure userb in the sudoers file to only be able to run your script:

userb ALL=(usera) /path/to/test.sh

Then userb can do

sudo -u usera /path/to/test.sh

userb wil not need to know usera's password, the script will not need to be suid, and you will get a log of all actions in your syslog (depending on how you have /etc/syslog.conf configured).

Re: su to another user in a script

John Meissner — Thu, 01 May 2003 15:02:43 GMT

you actually have two options.

have the script execute as root... this will not require any password to execute the above script. this is the recommended way.

if you can't do this and you need to pass a password you could use expect. expect is downloadable from here http://expect.nist.gov/
and very easy to use. you just type what you want the script to do basically. I'm attaching a copy of one of my expect scripts
- my script is an example but it telnets into a server and executes things.... but you can use it to automate almost anything

Re: su to another user in a script

ken_5 — Thu, 01 May 2003 16:28:36 GMT

I had read about expect and sudo in other posts, however, I did not want to have to install and document anything new on the system. Nor, research the security risks. ;)
but I'm sure they would both work from what I've read.
thanks