Originally Posted by
ahso4271
can i run a command as normal user after a sudo within a bash script?
You can run stuff password-less with sudo if you put all the commands that would require root priviledges and which appear in your bash script into the sudoers file, with a complete path. What I mean is this: this is an example on my own system. This script establishes a VPN connection (using a closed-source product) to a customer of mine:
Code:
#! /bin/bash
/usr/local/bin/barracudavpn --start -r MyPasswordHere
sudo route add -net 10.20.50.0 netmask 255.255.255.0 gw 192.168.200.254
sudo route add -net 10.20.51.0 netmask 255.255.255.0 gw 192.168.200.254
sudo route add -net 10.20.52.0 netmask 255.255.255.0 gw 192.168.200.254
sudo route add -net 10.20.54.0 netmask 255.255.255.0 gw 192.168.200.254
sudo route add -net 10.15.50.0 netmask 255.255.255.0 gw 192.168.200.254
The many route commands up there are needed or else I would still be unable to reach anything. And those route commands need "sudo". And because it's troublesome to remember the exact syntax each time I put all those lines up there into a single script: vpn.sh
The idea is that I can launch that script from a terminal without being asked the password each time. So I put each of those "route" commands into sudoers too:
Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# User sysadm may poweroff the system if he wants to
sysadm ALL=NOPASSWD: /sbin/poweroff
sysadm ALL=NOPASSWD: /sbin/reboot
# User sysadm may use apt to update the system and clean the APT cache
sysadm ALL=NOPASSWD: /usr/bin/apt-get clean
sysadm ALL=NOPASSWD: /usr/bin/apt-get update
sysadm ALL=NOPASSWD: /usr/bin/apt-get dist-upgrade
# VPN stuff:
sysadm ALL=NOPASSWD: /sbin/route add -net 10.20.50.0 netmask 255.255.255.0 gw 192.168.200.254
sysadm ALL=NOPASSWD: /sbin/route add -net 10.20.51.0 netmask 255.255.255.0 gw 192.168.200.254
sysadm ALL=NOPASSWD: /sbin/route add -net 10.20.52.0 netmask 255.255.255.0 gw 192.168.200.254
sysadm ALL=NOPASSWD: /sbin/route add -net 10.20.54.0 netmask 255.255.255.0 gw 192.168.200.254
sysadm ALL=NOPASSWD: /sbin/route add -net 10.15.50.0 netmask 255.255.255.0 gw 192.168.200.254
Result: With above lines in place I can shutdown, reboot and update my system or establish VPN connections without ever being asked a password.
Of course you can add other commands too ... But please be aware that this is potentially dangerous (you can hose your system). You shouldn't put too much stuff in there. The powers of "root" should only be used if really really necessary.
EDIT:
Running stuff as normal user after "sudo" has been used could be done using "su" (= switch user). Example from my system -- I cut out the irrelevant parts. But this snippet here is from a script that runs as "root". But at the end of the script I'd like to start a VNC session as my normal user, not as root! Hence I use the "su" command so that things will get started under my normal user account's priviledges:
Code:
...
... VPN and routing stuff, all running as "root" ... I cut out that stuff
...
su - sysadm -c "/usr/bin/vnc4server :1 -depth 16 -geometry 1200x768 2>&1"
# end of script; we return a code 0 to signify success
exit 0
What happens on that line up there is that the script which is running as "root" uses "su" to switch into my normal account and there it starts a virtual VNC4 desktop using a resolution of 1200 x 768 (VNC resolutions don't have to real); the "2>&1" bit at the end suppresses any unwanted output (I need the script to run clean without generating unwanted messages).
So the syntax for su is:
su - NAMEOFACCOUNT -c "command-you-want-to-execute"
Yes, you can use that in scripts that run as "root" or via "sudo".
Bookmarks