run script as another user from a root script with no tty stdin

Question

Using CentOs, I want to run a script as user 'training' as a system service. I use daemontools to monitor the process, which needs a launcher script that is run as root and has no tty standard in.

Below I give my five different attempts which all fail.

:
```
#!/bin/bash
exec >> /var/log/training_service.log 2>&1
setuidgid training training_command
```
This last line is not good enough since for training_command, we need environment for trqaining user to be set.
:
```
su - training -c 'training_command' 
```
This looks like it (Run a shell script as a different user) but gives 'standard in must be tty' as su making sure tty is present to potentially accept password. I know I could make this disappear by modifying /etc/sudoers (a la https://superuser.com/questions/119376/bash-su-script-giving-an-error-standard-in-must-be-a-tty) but i am reluctant and unsure of consequences.
:
```
sudo -u training -i bash -c 'source $HOME/.bashrc; training_command'
```
A variation on the same theme: 'sudo: sorry, you must have a tty to run sudo'
:
```
runuser - training -c 'training_command'  
```
This one gives runuser: cannot set groups: Connection refused. I found no sense or resolution to this error.
:
```
ssh -p100 training@localhost 'source $HOME/.bashrc; training_command'
```
This one is more of a joke to show desparation. Even this one fails with Host key verification failed. (the host key IS in known_hosts, etc).

Note: all of 2,3,4 work as they should if I run the wrapper script from a root shell. problems only occur if the system service monitor (daemontools) launches it (no tty terminal I guess).

I am stuck. Is this something so hard to achieve?

I appreciate all insight and guidance to best practice.

(this has also been posted on superuser: https://superuser.com/questions/434235/script-calling-script-as-other-user)

Urist McDev · Answer 1 · 2014-04-04T22:01:45.793

6

You will need to disable the requiretty setting in /etc/sudoers for root. Add the following line via visudo:

Defaults:root !requiretty

You will also need the following line in /etc/sudoers so root can do everything (this should be enabled by default, but check to be sure):

root ALL=(ALL) ALL

Then you can do the following:

sudo -u training /path/to/training_command

edited Apr 04 '14 at 22:01

answered Apr 04 '14 at 21:46

Urist McDev

625

score 2 · Answer 2 · edited May 23 '17 at 12:41

2

This seems to be essentially a special case of this question; we can use script -c to fake a tty. The only problem is that I can't get that trick to work directly with su for some reason, and sudo is a bit ugly if you really have to source ~/.bashrc before training_command. Try:

echo password | script -c "sudo su - training -c training_command"

edited May 23 '17 at 12:41

Community

1

answered Apr 02 '14 at 09:50

gmatht

149

score 0 · Answer 3 · answered Jun 09 '12 at 18:56

Choose the first one and set the environment variables you need.

If you already use daemontools then you do not create or mess with the log files manually. Daemontools does that job for you.

This is the script for the applicatoin run script

#!/bin/bash
exec 2>&1
exec setuidgid training sh -c 'YOURVARIABLE=yourvalue exec training_command'

Then you create a log directory run script with its own runscript.

Refer to this entry for setting up a log: http://cr.yp.to/daemontools/faq/create.html#runlog

score 0 · Answer 4 · edited Apr 13 '17 at 12:14

Plagiarising my answer here: Starting a script as another user

You could use start-stop-daemon something like this:

/sbin/start-stop-daemon --background --start --exec /path/to/training.sh --user training --pidfile=/path/to/training.pid --make-pidfile

where training.sh is something like this:

#!/bin/sh
exec >> /var/log/training_service.log 2>&1
source /home/training/.bashrc
training_command

score 0 · Answer 5 · answered Aug 04 '15 at 08:22

Under SSH, you can run command foo.sh in normal user:

$ ssh normal_user@1.2.3.4 bash /path/to/foo.sh

if one of foo.sh's command need root privilege, for example, netstat, wrap it within su command like this (replace original raw netstat -tunple):

su -c "netstat -tunpl" root

and run foo.sh like this:

$ ssh -t normal_user@1.2.3.4 bash /path/to/foo.sh

This will prompt tow password, the first is for normal_user, and the second is for root.

Ebru Yener · Answer 6 · 2016-06-14T07:04:38.487

0

Run your command with SSH.

make ssh key configuration to login without password for other user. Here is a tutorial for this purpose: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
Run the command with ssh: ssh -l training -i key_file "training_command"

edited Jun 14 '16 at 07:04

answered Jun 13 '16 at 13:57

Ebru Yener

121

score -1 · Answer 7 · answered Jun 09 '12 at 01:46

-1

Try this:

#!/bin/bash
sudo -u training training_command > /var/log/training_service.log 2>&1

If this fails, please post the output of /var/log/training_service.log.

answered Jun 09 '12 at 01:46

AlexT

141

run script as another user from a root script with no tty stdin

7 Answers7