41

I created special user in /etc/passwd with:

secure:x:2000:2000:secure:/bin:/usr/sbin/nologin

I don't want to allow login of this user (via console, ssh, ftp, any way).

He is just for running one script via:

sudo su secure -c '/home/someuser/secure.script'

But it gives me This user is currently not available.. How to set it up to be able to run script this way but prevent any login (console, ssh, ftp,...) of this user to system?

I have noticed that when I type /usr/sbin/nologin on the command-line, the computer responds with This account is currently not available..

Gilles 'SO- stop being evil'
  • 829,060
peter
  • 925

3 Answers3

47

This is a typical use case for sudo.

You're mixing sudo which allows running commands as another user and is highly configurable (you can selectively specify which user can run which command as which user) and su which switches to another user if you know the password (or are root). su always runs the shell written in /etc/passwd, even if su -c is used. Because of this su isn't compatible with /usr/sbin/nologin.

You should use

sudo -u secure /home/someuser/secure.script

As sudo is configurable you can control who can use this command and if he/she needs to enter a password to run it. You need to edit /etc/sudoers using visudo to do this. (Be careful when editing /etc/sudoers and always use visudo to do it. The syntax isn't trivial and one error can lock you out from your root account.)

This line in sudoers allows anyone in group somegroup to run the command as secure:

%somegroup    ALL=(secure) /home/someuser/secure.script

This allows anyone in group somegroup to run the command as secure without entering a password:

%somegroup    ALL=(secure) NOPASSWD: /home/someuser/secure.script

This allows user1 to run the command as secure without entering a password:

user1    ALL=(secure) /home/someuser/secure.script
cg909
  • 7,082
27

I found out the main problem is "/usr/sbin/nologin" in /etc/passwd When I want to execute su in this case, it must have -s /bin/bash inside, so for example: su -s /bin/bash -c '/home/someuser/secure.script' secure

peter
  • 925
  • 1
    Yes, su uses the shell written in /etc/passwd by default. Using su is a way to login as a user from another user. nologin prints the message "This user is currently not available." and exits. sudo doesn't use a shell to execute a command, so using sudo without su will also work. See my answer for more about sudo. – cg909 Apr 13 '17 at 23:27
6

su is using the shell specified in /etc/passwd.

You don't need to use su with sudo.

Therefore don't mix su with sudo: use sudo -u secure '/home/someuser/secure.script'.

ctrl-alt-delor
  • 27,993