I have script.sh that must be run as user2. However, this script can only be run under user1 in my application.

I would like the following command to run:

su user2 -C script.sh

but be able to run without password.

I also want this to be very restrictive, as in user1 can only run script.sh under user2 and nothing else.

I've tried doing this with sudoers file and just got endlessly confused after hours of trying.

If somebody can provide an explicit example of how this can be accomplished (instead of something generic like use sudoers), it would be greatly appreciated.

Solution 1

try running:

su -c "Your command right here" -s /bin/sh username

This will run the command as username given that you have permissions to sudo as that user.

Solution 2

Call visudo and add this:

user1 ALL=(user2) NOPASSWD: /home/user2/bin/test.sh

The command paths must be absolute! Then call sudo -u user2 /home/user2/bin/test.sh from a user1 shell. Done.

Solution 3

`su -c "Your command right here" -s /bin/sh username`

The above command is correct, but on Red Hat if selinux is enforcing it will not allow cron to execute scripts as another user. example; execl: couldn't exec /bin/sh execl: Permission denied

I had to install setroubleshoot and setools and run the following to allow it:

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
grep crond /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.p