From nobody Thu Aug 19 08:33:17 2021 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 95D9F175F8A3 for ; Thu, 19 Aug 2021 08:33:26 +0000 (UTC) (envelope-from ari@ish.com.au) Received: from mail.ish.com.au (mail.ish.com.au [203.29.62.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Gqyhk3qm1z3shg; Thu, 19 Aug 2021 08:33:26 +0000 (UTC) (envelope-from ari@ish.com.au) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ish.com.au; s=mail; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:References: To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=SB1yAlj+mtINpHeP2YNq5vbNII5xJg5L8iy+1KFKmfc=; b=jCiLeDHAoQTuOk8APxSrQR8XtL lQ0P3I+SVjhR7DUoZoa65AjUdtGxzMJJcKuALULWZ4EXpXA52/Ug2xWks7L/BmA85e52Q3rZ3MAPN YdBlOENjYSz7JW/6Y4t409HRvi6CdzZm+6rPEMeEgD3SUy6CMSWB6D4hS4Frx6knS33c1erjaADsN 6cTkU+CSPhzOkZCiFWnLgs1Mb5K1uzN9g7eBMWkkyPCm9nNMeJUa1ro1JmX9yB9eRatolNgL71tku Xj8f3CJPkaJPbnei5tpYl6ZV+dUbBQFq0+22advGcBG1jVzH+NsXtUYfGUuqHMmdLx7/ssyLAc0N+ zYNsn2DA==; Received: from [10.242.2.3] by mail.ish.com.au with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mGdUE-0001ni-MN; Thu, 19 Aug 2021 18:33:18 +1000 Message-ID: Date: Thu, 19 Aug 2021 18:33:17 +1000 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Thunderbird/92.0 Subject: Re: Run script as root without sudo Content-Language: en-AU To: Andriy Gapon , freebsd-stable References: <50738b08-8179-46d6-24fe-b2674e4f6c67@FreeBSD.org> In-Reply-To: <50738b08-8179-46d6-24fe-b2674e4f6c67@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Gqyhk3qm1z3shg X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Reply-To: ari@ish.com.au From: Aristedes Maniatis via freebsd-stable X-Original-From: Aristedes Maniatis X-ThisMailContainsUnwantedMimeParts: N The man page is very confusing. Yes, it says -c is class. But it also has examples like this:  su -m operator -c 'shutdown -p now' In my testing, this works: $ su - root -c 'date' Thu Aug 19 08:31:53 UTC 2021 and this does not: $ su - root 'date' date: No such file or directory. What is -c supposed to do? Ari On 19/8/21 6:21pm, Andriy Gapon wrote: > On 2021-08-19 08:31, Aristedes Maniatis via freebsd-stable wrote: >> I've got some scripts which are intended to run on a new EC2 instance >> right after it is created. Since the script needs to install packages it >> need to run as root. But because I don't have sudo installed at this >> point (it is a brand new instance), I've only got 'su' to get root. >> >> The script itself is launched over SSH with the ec2-user account and >> there is no root password at this point in the startup. >> >> My first attempt was to put this inside the script itself: >> >> if ["$($whoami)" !="root" ];thenexec su -c"$0" exit1 fi >> >> >> But su complains that I'm not allowed to execute a command using the -c >> option as root. > -c option seems to be so confusing for some reason that it should bein > some FAQ document. > > From the man page: > -c class > Use the settings of the specified login class. The login class > must be defined in login.conf(5). Only allowed for the super- > user. > > You surely though that it did something else, right? > From the man page again: > If the optional args are provided on the command line, they are > passed to > the login shell of the target login. Note that all command line > arguments before the target login name are processed by su itself, > everything after the target login name gets passed to the login shell. > >> How else can I get this script running as root remotely in a completely >> unattended way? >