-1

I created a (system) user, eg: mysysuser, and some sudo rules so it can do some maintenance in other users folders.

This script needs to run as other user but also needs some parameters.

Therefore, I created the following in /etc/sudoers.d/mysysuser

example:

Cmnd_Alias FIRST = /usr/bin/su -l user1 -c '/home/*/www/*/deploy.sh "$0" "$1" "$2"' * * *
Cmnd_Alias SECOND = /usr/bin/su -l user2 -c '/home/*/www/*/deploy.sh "$0" "$1" "$2"' * * *
mysysuser ALL=(ALL) NOPASSWD: FIRST,SECOND

Then I run:

sudo /usr/bin/su -l user1 -c '/home/user1/www/site1/deploy.sh' "param 1" "param 2" "param 3"

this does not work and asks for password.

This version without parameters works fine and executes without asking password:

Cmnd_Alias FIRST = /usr/bin/su -l user1 -c /home/*/www/*/deploy.sh * * *

But... the script does not receive the args.

I know the sudoers file needs it to be very literal with the exception for the wildcard:*

I am wondering why it does not work, is it the:

"$0" "$1" "$2"

part?

Escaping the dollar signs makes visudo barf.

UPDATE:

As per the comments, it is advised to use sudo directly without the su command.

I tried this but now I can't get it to work, sudo asks for the password although it shouldn't.

/etc/sudoers.d/mysysuser:

Cmnd_Alias FIRST = /home/*/www/*/deploy.sh "$0" "$1" "$2" * * *
mysysuser ALL=(ALL) NOPASSWD: FIRST

the command I execute as mysysuser:

sudo -u user1 /home/user1/www/site1/deploy.sh "param 1" "param 2" "param 3"

result:

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for mysysuser:

ctrl-alt-delor
  • 27,993
chichi
  • 1
  • 1
    When you run sudo su ... you are in effect saying, "Hello sudo please can I have root access ... thank you. Hello su, although I'm already root please would you give me root access ... thank you`. – Chris Davies Mar 05 '20 at 18:00

2 Answers2

0

To run sudo you have to run sudo:

Therefore your command MUST start with sudo.

Also you never need to use su in conjunction with sudo. sudo can handle users and groups. You can configure who can run what as who.

ctrl-alt-delor
  • 27,993
  • yes, i left out sudo, the full command is: sudo /usr/bin/su -l user1 -c '/home/user1/www/site1/deploy.sh' "param 1" "param 2" "param 3" (sorry, i thought that was clear, my bad) – chichi Mar 05 '20 at 08:58
  • i want to use sudo so i can specify the allowed commands very specifically. i only want the mysysuser to run one specific command and nothing else. – chichi Mar 05 '20 at 09:04
  • .. and it needs to run in the environment of the 'other' user – chichi Mar 05 '20 at 09:06
  • @chichi as ctrl-alt-delor said, you don't need su. Just run sudo -u user1 home/user1/www/site1/deploy.sh "param 1" "param 2" "param 3". – terdon Mar 05 '20 at 23:41
  • @terdon, if i do that it keeps asking for the password as to when i use the su part it doesnt.

    sudoers: Cmnd_Alias FIRST = /home//www//deploy.sh "$0" "$1" "$2" * * *

    command: sudo -u user1 /home/user1/www/site1/deploy.sh "param 1" "param 2" "param 3"

    any ideas?

     – chichi Mar 11 '20 at 13:09
  • @chichi please put updates in the question: so they are in one place, and formatted so we can read them. – ctrl-alt-delor Mar 11 '20 at 17:18
  • @ctrl-alt-delor ok, I updated the question. – chichi Mar 12 '20 at 10:02
-1

nevermind, it works fine without the single quotes in the sudoers file:

Cmnd_Alias FIRST = /usr/bin/su -l user1 -c /home/*/www/*/deploy.sh "$0" "$1" "$2" * * *

with this command:

/usr/bin/su -l user1 -c '/home/user1/www/site1/deploy.sh' "param 1" "param 2" "param 3"
chichi
  • 1