Ubuntu – Running a program as another user without typing a password

permissionssudo

I'm trying to mark my browser internet traffic with a DSCP by selecting the packages with a certain owner. In order to do that I have to start my browser with a dummy user.

I start my browser by binding a terminal command to a keyboard shortcut. So for now that has always been chromium-browser.

The steps I have taken so far:

Create a new user: 

 sudo useradd <dummy user>
 sudo passwd <dummy user>
 sudo mkdir /home/<dummy user>
 sudo chown <dummy user> /home/<dummy user>
 sudo chgrp <dummy user> /home/<dummy user>

Allow the new user to acces X

xhost +

Run the command as the new user

I start a terminal as the original user (non-root) and run the following command:

su <dummy user> -c chromium-browser

after typing the dummy user password I can run the chromium-browser as the dummy user. Chromium will be all new and won't have any of my old settings since it uses the newly created dummy user home dir.

Now I don't want to have to enter a password at any stage so I looked into how to work with the sudoers file.

Apperently it is possible to run a command as another user without being prompt for the password by changing the sudoers file. I have not yet figured out exactly how but I think it relies on sudo -u. Which also allows you to run a command as someone else. Before I started to adapt the sudoers file I wanted to test this structure. So I ran:

sudo -u <dummy user> chromium-browser

And I got the following error:

[0906/012127:ERROR:nss_util.cc(90)] Failed to create /home/<user>/.pki/nssdb directory.
[0906/012127:ERROR:nss_util.cc(90)] Failed to create /home/<user>/.pki/nssdb directory.
Home directory /home/<user> not ours.

where <user> is my username. So it tries to acces my home users home dir.

I'm hoping someone can help me figure this out. I have the feeling I'm sort of in the right direction but I need someone let me see what I'm doing wrong. Also any help on how to change the sudoers file would be appreciated.

Thanks in advance!

Best Answer

According to sudo manual:

    By default, sudo does not modify HOME

It means that when your run sudo -u <dummy user> <command>, HOME is unchanged and point to the invoking user home directory. More precisely, the entire environment remains unchanged, and the command is executed, therefore, in the environment of the user who invoked sudo. Only uid is changed and when command try to write in $HOME it has not right permission.

In order to run command as <dummy user> without being prompt for the password and have the right environment, you should create a simple file:

    sudo visudo -f /etc/sudoers.d/myOverrides

with this directive:

    <user> ALL= NOPASSWD:/bin/su

That allow <user> to run su command as root without being prompt for password (<user> password) and running su as root doesn't require to enter the target user's password (<dummy user> in this case).

   sudo su - <dummy user> -c /path/to/chromium-browser

Another better approach, change /etc/sudoers.d/myOverrides with:

   <user> ALL= (<dummy user>) NOPASSWD:/path/to/chromium-browser

this allow <user> to run /path/to/chromium-browser as <dummy user> without being prompt for password.

   sudo -u <dummy user> -i /path/to/chromium-browser

where -i option, according to sudo manual:

The -i (simulate initial login) option runs the shell specified in the passwd(5) entry of the target user as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. sudo attempts to change to that user’s home directory before running the shell. It also initializes the environment, leaving DISPLAY and TERM unchanged, setting HOME, SHELL, USER, LOGNAME, and PATH, as well as the contents of /etc/environment on Linux and AIX systems. All other environment variables are removed.

Related Question