What's a good way of running a shell script as a different user. I'm using Debian etch, and I know which user I want to impersonate.
If I was doing it manually, I would do:
su postgres
./backup_db.sh /tmp/test
exit
Since I want to automate the process, I need a way to run backup_db.sh as postgres (inheriting the environment, etc)
Thanks!
To run your script as another user as one command, run:
/bin/su -c "/path/to/backup_db.sh /tmp/test" - postgres
Breaking it down:
/bin/su : switch user
-c "/path/to..." : command to run
- : option to su, make it a login session (source profile for the user)
postgres : user to become
I recommend always using full paths in scripts like this - you can't always guarantee that you'll be in the right directory when you su (maybe someone changed the homedir on you, who knows). I also always use the full path to su (/bin/su) because I'm paranoid. It's possible someone can edit your path and cause you to use a compromised version of su.
If the target user to run has nologin shelll defined, then you can use the -s option to specify the shell:
/bin/su -s /bin/bash -c '/path/to/your/script' testuser
See the following question: run script as user who has nologin shell
To automate this on a schedule you could put it in the user's crontab. Cron jobs won't get the full environment though, but it it might be better to put all the env variables you need in the script itself anyways.
To edit the user's crontab:
sudo crontab -u postgres -e
This should be an informative read -- setuid on shell scripts
If you run su with a "- username" argument sequence, it will make a login shell for the user to give the same environment as the user. Usually, used to quickly execute your script with your home environment from a different login.
Try the su manpage:
su -c script_run_as_postgres.sh - postgres
Alernately, you could use sudo to allow you to run just that command as postgres without a password. It takes some setup in your /etc/sudoers, though.
The "su -c ... " method posted by others is a good one. For automation, you could add the script to the crontab of the user you need it to execute as.
If the user already has an entry to sudo and you don't know superuser's password then you can try following: This one restarts the postgres initialized at /data/my-db/pgsql/9.6/data
sudo su - postgres -c "/usr/pgsql-9.6/bin/pg_ctl -D /data/my-db/pgsql/9.6/data -l /var/log/pgsql.log restart"
For sites that may have special PAM setups that make this difficult, you can bypass su/sudo entirely with systemd and a little more typing:
oneshot service that executes your script. If your script is only a few commands, you can use one or more ExecStart with commands instead of executing an external file that contains those same commands./home/myuser2/myscript.service
[Unit]
Description=My Script
[Service]
Type=oneshot
User=myuser2
ExecStart=/full/path/to/my/script.sh
[Install]
WantedBy=multi-user.target
/etc/polkit-1/rules.d/my-script.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
subject.user == "myuser1") {
if (action.lookup("unit") == "myscript.service") {
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart") {
return polkit.Result.YES;
}
}
}
});
systemctl enable /home/myuser2/myscript.service
Now myuser1 can do systemctl start myscript.service which will ask systemd to execute the script (as myuser2). The service can be debugged as usual with systemctl status and journalctl.
