Run a shell script as a different user

Question

What's a good way of running a shell script as a different user. I'm using Debian etch, and I know which user I want to impersonate.

If I was doing it manually, I would do:

su postgres ./backup_db.sh /tmp/test exit 

Since I want to automate the process, I need a way to run backup_db.sh as postgres (inheriting the environment, etc)

Thanks!

Answer 1

To run your script as another user as one command, run:

/bin/su -c "/path/to/backup_db.sh /tmp/test" - postgres Breaking it down: /bin/su : switch user -c "/path/to..." : command to run - : option to su, make it a login session (source profile for the user) postgres : user to become 

I recommend always using full paths in scripts like this - you can't always guarantee that you'll be in the right directory when you su (maybe someone changed the homedir on you, who knows). I also always use the full path to su (/bin/su) because I'm paranoid. It's possible someone can edit your path and cause you to use a compromised version of su.

Answer 2

If the target user to run has nologin shelll defined, then you can use the -s option to specify the shell:

/bin/su -s /bin/bash -c '/path/to/your/script' testuser 

See the following question: run script as user who has nologin shell

Answer 3

To automate this on a schedule you could put it in the user's crontab. Cron jobs won't get the full environment though, but it it might be better to put all the env variables you need in the script itself anyways.

To edit the user's crontab:

sudo crontab -u postgres -e 

Answer 4

This should be an informative read -- setuid on shell scripts

If you run su with a "- username" argument sequence, it will make a login shell for the user to give the same environment as the user. Usually, used to quickly execute your script with your home environment from a different login.

Answer 5

Try the su manpage:

su -c script_run_as_postgres.sh - postgres

Alernately, you could use sudo to allow you to run just that command as postgres without a password. It takes some setup in your /etc/sudoers, though.

Answer 6

The "su -c ... " method posted by others is a good one. For automation, you could add the script to the crontab of the user you need it to execute as.

Answer 7

If the user already has an entry to sudo and you don't know superuser's password then you can try following: This one restarts the postgres initialized at /data/my-db/pgsql/9.6/data

sudo su - postgres -c "/usr/pgsql-9.6/bin/pg_ctl -D /data/my-db/pgsql/9.6/data -l /var/log/pgsql.log restart" 

Answer 8

You can also use:

sudo -u postgres script_run_as_postgres.sh

Answer 9

For sites that may have special PAM setups that make this difficult, you can bypass su/sudo entirely with systemd and a little more typing:

1. Define a oneshot service that executes your script. If your script is only a few commands, you can use one or more ExecStart with commands instead of executing an external file that contains those same commands.

/home/myuser2/myscript.service

[Unit] Description=My Script [Service] Type=oneshot User=myuser2 ExecStart=/full/path/to/my/script.sh [Install] WantedBy=multi-user.target 

2. Define a Polkit rule that lets another unprivileged user start the service

/etc/polkit-1/rules.d/my-script.rules

polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && subject.user == "myuser1") { if (action.lookup("unit") == "myscript.service") { var verb = action.lookup("verb"); if (verb == "start" || verb == "stop" || verb == "restart") { return polkit.Result.YES; } } } }); 

3. Enable the service:

systemctl enable /home/myuser2/myscript.service 

Now myuser1 can do systemctl start myscript.service which will ask systemd to execute the script (as myuser2). The service can be debugged as usual with systemctl status and journalctl.