Sun Managers;
Many thanks to those of you (see below replies) who replied to my query.
Some of you stated that it was not possible yet others were more
optimistic. Some suggested to use additional software, but I was looking
in getting it done with standard system tools due to site restrictions in
loading new software. I cannot do it with root since having root access
voids the needs to feed a password to the "su" command.
I have tried (unsuccessfully) the suggestion from Brooke King (6532)"
<jbking@sandia.gov>. I am being pulled away on another project and do not
have more time to continue trying for the time being. I am submitting this
summary with answers received. If anyone of you can make any of these
options work, please let me know.
I'll will continue trying when I get time.
Original query:
I am trying to switch user (su) to another user within a script.
I get the users password from the user and am trying to pass the password
to the "SU" command but have not been successful.
Is this possible?
I do not wish to use "EXPECT" and I do not want to modify the .rhosts file.
===========
Thanks, ANgel
===========
Replies follow:
From: Robert Owen Thomas <robt@cymru.com>
Hi, Angel--
There is no option to su that will allow you to pass in a password.
You could run this script as root, of course, which would allow you
to su at will.
However, be VERY careful here. su'ing back and forth between users,
as well as placing passwords in clear text into script files, is just
asking for a security breach.
--Rob
-- Robert Owen Thomas mailto:robt@cymru.com http://www.cymru.com/~robt =======From: Maurice Levie <Maurice.Levie@mail.sprint.com>
use SUDO instead. Its freeware.
Maurice Levie
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Maurice Levie - Sprint EIS/Headquarters Midrange Systems (913) 624-3356 maurice.levie@mail.sprint.com +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- =======
From: Val <vpopa@dss.mc.xerox.com>
try su - username -c where ^^^^^^^ ^ | | -----|-----> is the user | ------------------> is the command thet user executes Val ========
From: Igor Schein <igor@txc.com>
Use sudo, available from www.courtesan.com =======
From: "Rich Snyder" <rsnyder@eos.hitc.com>
Angel,
You're not going to successfully script a password entry for su using a shell script - something about requiring passwd input from a terminal which Expect will emulate. You could write a C wrapper program, suid, and set the owner to whatever user you want to run the script, but that's a hack that can possibly open security holes. I would really suggest using Expect.
Rich Snyder rsnyder@eos.hitc.com ========
From: Shobhit Kapoor <shobhit@mindless.com>
you have to pass the password encryption,that works. good luck, -Shobhit =======
From: Geoff Weller <g.s.weller@larc.nasa.gov>
You can use "runas" to do this type of thing. It may take some time to set up, but it is a great tool. It's avaliable at ftp.cs.odu.edu
Geoff Weller UNIX Sysadmin NASA Langley =========
From: Jim Harmon <jharmon@telecnnct.com>
No.
The password prompt is executed by "login" or "rlogin" after the username is acknowledged.
However, if you first su to root, you can su to any other user without a password at all.
This assumes you have access to the su password.
> I do not wish to use "EXPECT" and I do not want to modify the .rhosts > file.
Another option that is less fun than EXPECT is to use telnet instead of su.
If you build a .netrc file, it can execute commands when you connect to a computer via telnet.
But if you don't want to use expect, this won't do you any good.
> Tnx, Angel
-- Jim Harmon The Telephone Connection jim@telecnnct.com Rockville, Maryland ========
From: "Randy L. Chatfield" <rchatfie@CEMRC.Org>
One thing you could do is make a script setuid, owned as root. That's mode 4755. It's not the best way but it will work. It doesnt require the use of a password.
---- #!/bin/sh
su - username
----- -rc ==========
From: Geoff Weller <g.s.weller@larc.nasa.gov>
From: Seth Rothenberg <SROTHENB@montefiore.org>
Angel, I don't think su will help you. There are other approaches... expect, sudo, which must run as root, and....
rsh.
If the originating user is trusted to do anything as the target user, you can create a .rhosts file for the target user:
john@testdg% cat ~seth/.rhosts testdg john john@testdg% rsh -l seth testdg cat .rhosts testdg john john@testdg% date | rsh -l seth testdg 'cat > date'
etc. Seth ===========
From: "Brooke King (6532)" <jbking@sandia.gov>
System V release 3.x used to have a really clever script, called sysadm, which would be a good example of how to do what you want.
It looked like this:
# $Id: unixadmin,v 1.1 1989/12/04 18:07:18 mar Rel $ $Locker: $
# Copyright (c) 1989 by Intergraph Corporation
# $Log: unixadmin,v $ # Revision 1.1 1989/12/04 18:07:18 mar # Initial revision #
#ident "@(#)sadmin:admin/unixadmin 2.3 1.2 (Intergraph) 3/10/88" # General purpose hook into administrative logins used as commands, # so that the commands can have passwords on them.
set -f PATH=${PATH:-/bin:/usr/bin}:/usr/lbin export PATH cmd=`basename $0` if grep "^${cmd}:" /etc/passwd >/dev/null then # Magic here! # The problem is that we want the commands to (potentially) have a # password, so that they can be restricted if the user likes, and # to be within the restricted shell so that the user can not break out # and become super-user. The complication is that we want the command # to have arguments, but /bin/su will not permit arguments to something # that has /bin/rsh as its login shell and /bin/su clears out the # environment when the - argument is used. So we open another File # Descriptor and ship the arguments in via a pipe. # make File Descriptor 4 the same as 0 (standard input) exec 4<&0 # echo the arguments down a pipe. On the receiving end, # connect the pipe to File Descriptor 3 and connect the original # standard input, available on FD 4, to FD 0. Lastly, close FD 4. # See the .profile file (admin profile.dot) for how the arguments # are read. echo $* | 3<&0 0<&4 4<&- /bin/su - ${cmd} else admerr $0 Command ${cmd} does not exist in /etc/passwd. exit 1 fi
Individual commands corresponded to user names. Enjoy.
--
Brooke King jbking@sandia.gov +1.505.844.5936 both voice and fax ==========
From: Petri Kallberg - Sun Finland - <Petri.Kallberg@Finland.Sun.COM>
I'm not sure what you are trying to do, but ...
1) You could make that script SUID to that UID you want to use it. Not very secure and won't work if multiple UIDs are required. 2) Are you sure that you have understood correctly what su does ? It doesn't "change" your effective UID but RUNS a command as another user. (this command however can be a shell etc...) On Solaris 2.5.1 following works just fine; icetip ~ ; whoami kallu icetip ~ ; ./samplescript Password: root icetip ~ ; cat ./samplescript su root -c /usr/ucb/whoami icetip ~ ;
I'm logged in as kallu and when I run script called samplescript it shows that whoami -command is run as root (after giving correct password) Just replace /usr/ucb/whoami with command or script you want and it should work ... > Tnx, Angel
-- Petri Kallberg Sun Microsystems Oy ===========
From: Ross Bennett <ross@orion.gcs.com.au>
I've done something similar with the eprom security-mode password. It's a pretty round about way of doing this, but it works. The trouble is that you need root access to be able to do this. The thing about the su and passwd commands is that they take their input from /dev/tty, so you can't redirect the input.
I hope that the script below helps at least put you on the right track. Regards, Ross
mv /dev/tty /dev/tty.old echo "password" > /dev/tty su username mv /dev/tty.old /dev/tty
GG CC SS *- GRAPHICS COMPUTER SYSTEMS 97 Highbury Rd, G G C C S S *- *- COMPUTER TECHNOLOGY DESIGN BURWOOD, 3125 G C S *- AUSTRALIA G GG C S *- Ross G. Bennett Ph +613-9888-8522 G G C C S S DESIGN ENGINEER Fax +613-9888-8511 GG CC SS ross@gcs.com.au
- - - - - - - - - - - - - - - -
EFN, CIAO!, Angel
... Yo quiero TACO Bell!!
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:41 CDT