`sudo -u user` in shebang line

shebangsudo

I'd like to be able to run a script as another user, and only as that user.

The way I currently have this set up is to have

alice   ALL = (bob) NOPASSWD: /home/alice/script.sh

in the sudoers file and

alice@foo:~$ ls script.sh
-rwxr-xr-x  1 root  root ..... script.sh

alice@foo:~$ lsattr script.sh
----i----------- script.sh

alice@foo:~$ head -1 script.sh
#!/bin/bash

alice@foo:~$ sudo -u bob ./script.sh
ok

Is there a way to have the shebang line be something like

#!/usr/bin/sudo -u bob -- /bin/bash

so that alice could just run

alice@foo:~$ ./script.sh
ok

If I try this I simply get the error message

sudo: unknown user:  blog -- /bin/bash
sudo: unable to initialize policy plugin

Best Answer

Linux (like many other Unix variants) only supports passing a single argument to the interpreter of a script. (The interpreter is the program on the shebang line.) A script starting with #!/usr/bin/sudo -u bob -- /bin/bash is executed by calling /usr/bin/sudo with the arguments -u bob -- /bin/bash and /home/alice/script.sh.

One solution is to use a wrapper script: make /home/alice/script.sh contain

#!/bin/sh
exec sudo -u bob /home/alice/script.real

and put the code in /home/alice.script.real starting with #!/bin/bash and make the sudo rule refer to /home/alice.script.real.

Another solution is to make the script reexecute itself. You need to be careful to detect the desirable condition properly, otherwise you risk creating an infinite loop.

#!/bin/bash
if ((EUID != 123)); then
  exec sudo -u \#123 /home/alice/script.sh
fi

(where 123 is the user ID of bob)

A simple solution is to tell people to run sudo -u bob /home/alice/script.sh instead of running the script directly. You can provide shell aliases, .desktop files, etc.

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

This looks like an intentional configuration in Arch Linux. See this for discussion with links to solutions.

The best tip there seems to be adding "DISPLAY XAUTHORITY" to to the "env_keep" defaults in /etc/sudoers.

Fedora has in /etc/sudoers the following and this allows sudo somexapp to succeed.

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Linux – How to transition into another domain when invoking sudo

You can specify a transition in a custom policy file (.te) like this:

module collectdlocalexec 1.0;

require {
        type collectd_t;
        type user_home_t;
        type unconfined_t;
        type shell_exec_t;
        class capability {setgid setuid };
        class file { execute read open };
        class process transition;
}

allow collectd_t self:capability { setgid setuid };
allow collectd_t user_home_t:file { execute read open };
allow collectd_t shell_exec_t:file execute;
allow collectd_t unconfined_t:process transition;

type_transition collectd_t user_home_t:process unconfined_t;

Assuming that the collection script is located under a user's home directory (and that is labeled with user_home_t).

Best Answer

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

Linux – How to transition into another domain when invoking sudo

Related Question