Possible Duplicate:
Creating a UNIX account which only executes one command
There is a shell script which has to be executed through an existing user account XXX. Now I have various other users which shall be able to execute only this script as well without getting access to the user account XXX. Is there a way to create a ssh command (maybe through a key or anything else), which only allows to execute this specific shell script of the user XXX without knowing the password of XXX?
If running the script is the only thing you want those other users to be able to do, then I'd go with using ssh keys.
Each user should have their own ssh key, so you won't get into a hassle when somebody no longer needs access. The public part of the key should be put into
~scriptuser/.ssh/authorized_keys
and in front of the actual key, you should add the text command="/path/to/script"
Here's an example:
from="10.23.5.32",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/path/to/script" ssh-dss A........
This limits the ip-address that this key can be used from, and it limits what kind of forwarding can be done, and makes sure that no pty can ever be granted when using this key, and whenever the user connects with this key then the script will be run and nothing else can happen.
To add an environment variable, you just add it too to the key:
from="10.23.5.32",environment="MYVARIABLE=whatever",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/path/to/script" ssh-dss A........
However, in order for that to work, you have to have the PermitUserEnvironment directive set to "yes" in the sshd config file. If you can't make that happen, you can instead change the line to this:
from="10.23.5.32",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="export MYVARIABLE=whatever; /path/to/script" ssh-dss A........
