tags:

views:

49

answers:

2
+3  Q: 

How to become non-root in the middle of a shell script run as root? Possible?

Let's say I have a shell script that runs a bunch of other sub-scripts. I decide that my script must be run as root because the first several sub-scripts that it runs need to be run as root. However, there are two sub-scripts run by the super-script that cannot be run as root. Assuming my script was run as root, how do I de-root it for the last two sub-scripts? Is this even possible?

+1  A: 

use su to run a command you want to run as some other user.

su nobody ls /tmp
nsayer  2010-07-14 19:03:10
This isn't necessarily wrong, but the odds are that the sub-script needs to write the file system, at which point (AIUI) one must not use `nobody`.
Zack  2010-07-14 19:06:15
He wasn't nearly that specific. He asked how to run a script as a non-root user. I answered. I provided an example. Sheesh.
nsayer  2010-07-14 19:09:41
I don't mean to be a pill, but I jump on examples that casually use `nobody` because misusing `nobody` opens security holes.
Zack  2010-07-14 19:28:39
+3  A: 

You need a specific non-root user that your sub-scripts can run under. Let us call that user fred. Then your script with root privileges can simply do

su fred /path/to/subscript-A
su fred /path/to/subscript-B

Contra nsayer's answer, you probably can NOT use nobody for this, because the entire point of nobody is that it has write privileges on nothing. Sometimes that's exactly what you want, but I'm betting your sub-scripts need to write to the file system...

Zack  2010-07-14 19:05:44
The point Zack is getting at is that the user must be a 'human' user with a shell to do anything useful, so for example `nobody` or `www-data` won't work. It's a good point, but it's not necessary to `su fred (some command)` every time... just `su fred`, then issue any commands as fred in separate commands, then `exit`.
no  2010-07-14 19:07:31
@no: That only works if you have an interactive shell; from within a script, you have to give `su fred` a command. You can of course wrap up a bunch of commands in a sub-script and pass that to `su`, but it sounds like the OP has already done that. Also, fyi, `su -s /bin/sh fred -- -c exec /path/to/subscript` will work even if `fred` has no shell in `/etc/passwd`, and you may prefer to have `fred` that way if that account is only ever used from the script (which is probably a good idea)
Zack  2010-07-14 19:27:14
Zack, thanks for clearing that up :)
no  2010-07-18 21:21:30

related questions

JavaScript interactive shell with completion
Path to Program-Files on remote computer
How to add submenu items to the Windows Explorer context menu?
MySQL shell on Windows
Quoting command-line arguments in shell scripts
How to escape os.system() calls in Python?
Where can I find a graphical command shell?
How to redirect all stderr in bash?
How do you use ssh in a shell script?
Parsing XML using unix terminal
Unix shell file copy flattening folder structure
Is there any way to prevent find from digging down recursively into subdirectories?
Combining values from different files into one CSV file
Is there a Unix utility to prepend timestamps to lines of text?
Why doesn't **find** find anything?
Why shouldn't I "bet the future of the company" on shell scripts?
Opening Explorer shell with admin priveleges on XP (with IE7 installed)
Programatically select multiple files in windows explorer
How do you use PowerShell?
How to resolve symbolic links in a shell script
Date arithmetic in Unix shell scripts
Better windows command line shells
Shell scripting input redirection oddities
Linux shell equivalent on IIS
What should a longtime Windows user know when starting to use Linux?