Execute commands as another user
Clash Royale CLAN TAG#URR8PPP
I created a user named intelmq which has permissions to run a program called intelmqctl. Then I created a user named apache and I would like apache to execute intelmqctl as the user intelmq. I added the following lines to the sudoers file:
Defaults:apache !requiretty
apache ALL=(intelmq) NOPASSWD: /usr/bin/intelmqctl
However, everytime I try to run the following command as user apache it the returns this:
command: sudo -u apache sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser
output:
Sorry, user apache is not allowed to execute '/bin/sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser' as apache on localhost.localdomain.
I'm using a CentOS 7.
Here are the steps that I made to install intelmqctl and the problem itself better explained, maybe I failed something during the installation: https://github.com/certtools/intelmq/issues/981
If I try to execute sudo -iu apache as root, it will change to the apache user, then if I execute the command sudo -u intelmq /usr/bin/intelmqctl, it works, it shows all the options to execute intelmqctl.
However, if I run the command sudo -iu apache as the apache user it returns: Sorry, user apache is not allowed to execute '/bin/bash' as apache on localhost.localdomain.
centos sudo users
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
asked Jun 1 '17 at 10:43
mf370mf370
163
add a comment |
I created a user named intelmq which has permissions to run a program called intelmqctl. Then I created a user named apache and I would like apache to execute intelmqctl as the user intelmq. I added the following lines to the sudoers file:
Defaults:apache !requiretty
apache ALL=(intelmq) NOPASSWD: /usr/bin/intelmqctl
However, everytime I try to run the following command as user apache it the returns this:
command: sudo -u apache sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser
output:
Sorry, user apache is not allowed to execute '/bin/sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser' as apache on localhost.localdomain.
I'm using a CentOS 7.
Here are the steps that I made to install intelmqctl and the problem itself better explained, maybe I failed something during the installation: https://github.com/certtools/intelmq/issues/981
If I try to execute sudo -iu apache as root, it will change to the apache user, then if I execute the command sudo -u intelmq /usr/bin/intelmqctl, it works, it shows all the options to execute intelmqctl.
However, if I run the command sudo -iu apache as the apache user it returns: Sorry, user apache is not allowed to execute '/bin/bash' as apache on localhost.localdomain.
centos sudo users
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
asked Jun 1 '17 at 10:43
mf370mf370
163
Let us continue this discussion in chat.
– ChristophS
Jun 2 '17 at 4:38
Have you been able to resolve this problem?
– sebix
Nov 7 '17 at 14:15
@sebix Yes, the problem was on IntelMQ Manager when stopping the bots it wouldn't stop them and I tried via command line to replicate / find the solution using the user apache. But then I found out that the problem was from the soft kill command SIGINT, so I changed IntelMQ's code from SIGINT to SIGTERM.
– mf370
Nov 8 '17 at 18:11
@mf370 So this was certtools/intelmq#981 and certtools/intelmq-manager#103. Will be fixed in version 1.1 (or current development branch).
– sebix
Nov 9 '17 at 15:19
add a comment |
I created a user named intelmq which has permissions to run a program called intelmqctl. Then I created a user named apache and I would like apache to execute intelmqctl as the user intelmq. I added the following lines to the sudoers file:
Defaults:apache !requiretty
apache ALL=(intelmq) NOPASSWD: /usr/bin/intelmqctl
However, everytime I try to run the following command as user apache it the returns this:
command: sudo -u apache sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser
output:
Sorry, user apache is not allowed to execute '/bin/sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser' as apache on localhost.localdomain.
I'm using a CentOS 7.
Here are the steps that I made to install intelmqctl and the problem itself better explained, maybe I failed something during the installation: https://github.com/certtools/intelmq/issues/981
If I try to execute sudo -iu apache as root, it will change to the apache user, then if I execute the command sudo -u intelmq /usr/bin/intelmqctl, it works, it shows all the options to execute intelmqctl.
However, if I run the command sudo -iu apache as the apache user it returns: Sorry, user apache is not allowed to execute '/bin/bash' as apache on localhost.localdomain.
centos sudo users
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
asked Jun 1 '17 at 10:43
mf370mf370
163
I created a user named intelmq which has permissions to run a program called intelmqctl. Then I created a user named apache and I would like apache to execute intelmqctl as the user intelmq. I added the following lines to the sudoers file:
Defaults:apache !requiretty
apache ALL=(intelmq) NOPASSWD: /usr/bin/intelmqctl
However, everytime I try to run the following command as user apache it the returns this:
command: sudo -u apache sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser
output:
Sorry, user apache is not allowed to execute '/bin/sudo -u intelmq /usr/bin/intelmqctl --type json stop abusech-ip-parser' as apache on localhost.localdomain.
I'm using a CentOS 7.
Here are the steps that I made to install intelmqctl and the problem itself better explained, maybe I failed something during the installation: https://github.com/certtools/intelmq/issues/981
If I try to execute sudo -iu apache as root, it will change to the apache user, then if I execute the command sudo -u intelmq /usr/bin/intelmqctl, it works, it shows all the options to execute intelmqctl.
However, if I run the command sudo -iu apache as the apache user it returns: Sorry, user apache is not allowed to execute '/bin/bash' as apache on localhost.localdomain.
centos sudo users
centos sudo users
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
asked Jun 1 '17 at 10:43
mf370mf370
163
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
asked Jun 1 '17 at 10:43
mf370mf370
163
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
edited Jan 26 at 15:34
Rui F Ribeiro
40.1k1479136
40.1k1479136
asked Jun 1 '17 at 10:43
mf370mf370
163
asked Jun 1 '17 at 10:43
mf370mf370
163
asked Jun 1 '17 at 10:43
mf370mf370
163
163
Let us continue this discussion in chat.
– ChristophS
Jun 2 '17 at 4:38
Have you been able to resolve this problem?
– sebix
Nov 7 '17 at 14:15
@sebix Yes, the problem was on IntelMQ Manager when stopping the bots it wouldn't stop them and I tried via command line to replicate / find the solution using the user apache. But then I found out that the problem was from the soft kill command SIGINT, so I changed IntelMQ's code from SIGINT to SIGTERM.
– mf370
Nov 8 '17 at 18:11
@mf370 So this was certtools/intelmq#981 and certtools/intelmq-manager#103. Will be fixed in version 1.1 (or current development branch).
– sebix
Nov 9 '17 at 15:19
add a comment |
Let us continue this discussion in chat.
– ChristophS
Jun 2 '17 at 4:38
Have you been able to resolve this problem?
– sebix
Nov 7 '17 at 14:15
@sebix Yes, the problem was on IntelMQ Manager when stopping the bots it wouldn't stop them and I tried via command line to replicate / find the solution using the user apache. But then I found out that the problem was from the soft kill command SIGINT, so I changed IntelMQ's code from SIGINT to SIGTERM.
– mf370
Nov 8 '17 at 18:11
@mf370 So this was certtools/intelmq#981 and certtools/intelmq-manager#103. Will be fixed in version 1.1 (or current development branch).
– sebix
Nov 9 '17 at 15:19
Let us continue this discussion in chat.
– ChristophS
Jun 2 '17 at 4:38
Let us continue this discussion in chat.
– ChristophS
Jun 2 '17 at 4:38
Have you been able to resolve this problem?
– sebix
Nov 7 '17 at 14:15
Have you been able to resolve this problem?
– sebix
Nov 7 '17 at 14:15
@sebix Yes, the problem was on IntelMQ Manager when stopping the bots it wouldn't stop them and I tried via command line to replicate / find the solution using the user apache. But then I found out that the problem was from the soft kill command SIGINT, so I changed IntelMQ's code from SIGINT to SIGTERM.
– mf370
Nov 8 '17 at 18:11
@sebix Yes, the problem was on IntelMQ Manager when stopping the bots it wouldn't stop them and I tried via command line to replicate / find the solution using the user apache. But then I found out that the problem was from the soft kill command SIGINT, so I changed IntelMQ's code from SIGINT to SIGTERM.
– mf370
Nov 8 '17 at 18:11
@mf370 So this was certtools/intelmq#981 and certtools/intelmq-manager#103. Will be fixed in version 1.1 (or current development branch).
– sebix
Nov 9 '17 at 15:19
@mf370 So this was certtools/intelmq#981 and certtools/intelmq-manager#103. Will be fixed in version 1.1 (or current development branch).
– sebix
Nov 9 '17 at 15:19
add a comment |
1 Answer
1
active
oldest
votes
You can add setuid permission to that binary and change the ownership to intelmq.
chmod u+s /usr/bin/intelmqctl
chown intelmq /usr/bin/intelmqctl
Then you can run this executable with the process ownership of intelmq.
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
1
Correction: Anyone can run the command withintelmqprivilegies.
– Kusalananda
Jun 1 '17 at 11:23
Yes, you are right. I must have added this information, my fault.
– LittleSmurfie
Jun 1 '17 at 11:24
Thank you. However, those commands didn't solve the issue, it still returns the same output.
– mf370
Jun 1 '17 at 11:27
What you can do if you want to go this route is to copy the binary into a directory with read+execute only by the apache user. But this is a rather ugly solution.
– Patrick
Jun 1 '17 at 12:39
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f368545%2fexecute-commands-as-another-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can add setuid permission to that binary and change the ownership to intelmq.
chmod u+s /usr/bin/intelmqctl
chown intelmq /usr/bin/intelmqctl
Then you can run this executable with the process ownership of intelmq.
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
1
Correction: Anyone can run the command withintelmqprivilegies.
– Kusalananda
Jun 1 '17 at 11:23
Yes, you are right. I must have added this information, my fault.
– LittleSmurfie
Jun 1 '17 at 11:24
Thank you. However, those commands didn't solve the issue, it still returns the same output.
– mf370
Jun 1 '17 at 11:27
What you can do if you want to go this route is to copy the binary into a directory with read+execute only by the apache user. But this is a rather ugly solution.
– Patrick
Jun 1 '17 at 12:39
add a comment |
You can add setuid permission to that binary and change the ownership to intelmq.
chmod u+s /usr/bin/intelmqctl
chown intelmq /usr/bin/intelmqctl
Then you can run this executable with the process ownership of intelmq.
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
1
Correction: Anyone can run the command withintelmqprivilegies.
– Kusalananda
Jun 1 '17 at 11:23
Yes, you are right. I must have added this information, my fault.
– LittleSmurfie
Jun 1 '17 at 11:24
Thank you. However, those commands didn't solve the issue, it still returns the same output.
– mf370
Jun 1 '17 at 11:27
What you can do if you want to go this route is to copy the binary into a directory with read+execute only by the apache user. But this is a rather ugly solution.
– Patrick
Jun 1 '17 at 12:39
add a comment |
You can add setuid permission to that binary and change the ownership to intelmq.
chmod u+s /usr/bin/intelmqctl
chown intelmq /usr/bin/intelmqctl
Then you can run this executable with the process ownership of intelmq.
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
You can add setuid permission to that binary and change the ownership to intelmq.
chmod u+s /usr/bin/intelmqctl
chown intelmq /usr/bin/intelmqctl
Then you can run this executable with the process ownership of intelmq.
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
answered Jun 1 '17 at 11:19
LittleSmurfieLittleSmurfie
1756
1756
1
Correction: Anyone can run the command withintelmqprivilegies.
– Kusalananda
Jun 1 '17 at 11:23
Yes, you are right. I must have added this information, my fault.
– LittleSmurfie
Jun 1 '17 at 11:24
Thank you. However, those commands didn't solve the issue, it still returns the same output.
– mf370
Jun 1 '17 at 11:27
What you can do if you want to go this route is to copy the binary into a directory with read+execute only by the apache user. But this is a rather ugly solution.
– Patrick
Jun 1 '17 at 12:39
add a comment |
1
Correction: Anyone can run the command withintelmqprivilegies.
– Kusalananda
Jun 1 '17 at 11:23
Yes, you are right. I must have added this information, my fault.
– LittleSmurfie
Jun 1 '17 at 11:24
Thank you. However, those commands didn't solve the issue, it still returns the same output.
– mf370
Jun 1 '17 at 11:27
What you can do if you want to go this route is to copy the binary into a directory with read+execute only by the apache user. But this is a rather ugly solution.
– Patrick
Jun 1 '17 at 12:39
1
1
Correction: Anyone can run the command with
intelmq privilegies.– Kusalananda
Jun 1 '17 at 11:23
Correction: Anyone can run the command with
intelmq privilegies.– Kusalananda
Jun 1 '17 at 11:23
Yes, you are right. I must have added this information, my fault.
– LittleSmurfie
Jun 1 '17 at 11:24
Yes, you are right. I must have added this information, my fault.
– LittleSmurfie
Jun 1 '17 at 11:24
Thank you. However, those commands didn't solve the issue, it still returns the same output.
– mf370
Jun 1 '17 at 11:27
Thank you. However, those commands didn't solve the issue, it still returns the same output.
– mf370
Jun 1 '17 at 11:27
What you can do if you want to go this route is to copy the binary into a directory with read+execute only by the apache user. But this is a rather ugly solution.
– Patrick
Jun 1 '17 at 12:39
What you can do if you want to go this route is to copy the binary into a directory with read+execute only by the apache user. But this is a rather ugly solution.
– Patrick
Jun 1 '17 at 12:39
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f368545%2fexecute-commands-as-another-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Let us continue this discussion in chat.
– ChristophS
Jun 2 '17 at 4:38
Have you been able to resolve this problem?
– sebix
Nov 7 '17 at 14:15
@sebix Yes, the problem was on IntelMQ Manager when stopping the bots it wouldn't stop them and I tried via command line to replicate / find the solution using the user apache. But then I found out that the problem was from the soft kill command SIGINT, so I changed IntelMQ's code from SIGINT to SIGTERM.
– mf370
Nov 8 '17 at 18:11
@mf370 So this was certtools/intelmq#981 and certtools/intelmq-manager#103. Will be fixed in version 1.1 (or current development branch).
– sebix
Nov 9 '17 at 15:19