2

I want to be able to allow users to run a specific command as another user, is this possible?

I have a script that reads a remote file through ssh to get a status, something like:

#!/usr/bin/sh

state=$(ssh -q -i $HOME/.ssh/id_rsa" auto@remote-host "[ -f /path/to/state/file ] && cat /path/to/state/file 2>/dev/null")


printf "${state}"

The auto user has a key setup so that it can login to the remote machine without a password. I want users to be able to run this script without needing to worry about setting up their own key, for example:

bob@local-machine$ /path/to/state-check

So, the bob user can run the script as the auto user without hassle. I know you can use something like

su auto -c "/path/to/state-check"

But that would still require access to the auto user's password or sudo. Is there a way to set up a file that allows bob to run specific commands as auto passwordless? Or should I redesign the tool so that the state files are fetched and stored locally? I'm not really sure of a good way to do this. I'm running this on RHEL 9 machines.

Cyrus
  • 931
Andrew
  • 21

2 Answers2

1

I want to be able to allow users to run a specific command as another user, is this possible?

Yes

That is what the sudo command is designed for.

Although many novice Linux sysadmins only know and use sudo to run commands / elevate or escalate privileges to root and full administrator rights, and many examples only grant unrestricted and unlimited privileges sudo is explicitly designed to grant restricted privileges and can also be used to run a single and/or only some specific commands under the UID of a different, non-privileged user.

See also https://serverfault.com/a/639062

Community
  • 1
HBruijn
  • 84,206
  • 24
  • 145
  • 224
0

Besides sudo, mentioned by @HBruijn, you can also use pkexec from Polkit (aka Policy Kit). See also: polkit(8) man page.

Mircea Vutcovici
  • 19,011