I have a general question about system administration scripts that require "some" commands to be executed with root access, and other as a normal non-root user (ie myusername, etc.). I should mention I'm using Ruby 1.8.6 on a Linux Red Hat 4 system. The suggestions I've seen so far are:
- Allow access from sudoers:
USERNAME = NOPASSWD: /path/to/script, /etc/init.d/httpd, /path/to/somethingelse
Is this syntax correct? If so, am I correct that I would want to list all the specific commands needed in the script where I did not want to be prompted for password? - Set suid
http://www.wellho.net/mouth/733_Perl-for-Systems-Admin-suid-scripts.html
To run a Perl script with root privilage:
a) Set the owner of the script to root
b) Set the suid bit on the file on (chmod u+s filename)
c) Turn off read permission, and on execute permission to the file to everyone except root (chmod go=x)
But other research suggests that you can only set suid on binaries for later Linux systems (my script will actually run on an older version of RH4 but we may end up upgrading so I'd like to be forward compatible). I don't think I want to create a binary just for this! - 'Use ssh with generated public/private keys. The key can be configured to allow only certain commands to be execute with it.'
- Leave in sudo for any scripted commands that require root:
system 'sudo rake ts:rebuild' (of course this has the drawback of having all those password prompts!) - Execute script as root
But what about commands I want ran as a normal user? - Execute as root su username (for tasks that need to be ran as the normal user)
'Run script as root, do a bunch of tasks as root, su newUser do a bunch of tasks as newUser, exit (exits back to the root user) do a bunch more tasks as root.' (proposed by James below)
I feel ashamed to not have a better grasp of this topic, but I'm a bit surprised at how many Ruby "scripting books" I referred to that do not address this! I guess it's more of a 'nix thing, but it seems that to do any thing of substantial use, you'd likely run into this.
Edit: Some things like mysql I can use options in the command like --password so I've used this to do that:
puts "Remote Password: "
system('stty -echo')
password = STDIN.gets.chomp
puts "Mysql Password (local): "
mysql_local_password = STDIN.gets.chomp
system('stty echo')
And then I can use those passwords from within the script but they never get seen as clear text. But this doesn't work for everything of course.
The other thing I should mention is that there commands that need to be ran as different users (in addition to just root and one normal user, there may be a 'build' user, etc.,etc)
Question: Please help me to understand the pros and cons of these (and any other proposed or better solutions). Also, if there's a definitive book, links, man pages, etc., that addresses how scripts interact with the underlying system's permissions that you can refer me to that would be great as well.
Thanks all!