Sorry, @charlespick . My ancient reptilian brain remembers when people thought this was acceptable. Modern OSs don’t honor the suid bit on scripts any more, and for good reasons. I’m embarrassed to have brought it up.
There are better ways to get the effect you want, though. Below is a simple script I called id-a.sh
:
#!/usr/bin/bash
cmd="$(realpath "$0")"
ansibleid="ansible-unleashed"
printf "PID $$ starting $cmd as '%s' in '%s'\n" "$(id -un)" "$(/bin/pwd)"
if [ "$(id -un)" != "$ansibleid" ] ; then
sudo runuser -l "$ansibleid" "$cmd"
rc=$?
printf "PID $$ ending run of $cmd as '%s' in '%s'\n" "$(id -un)" "$(/bin/pwd)"
exit $rc
fi
printf "PID $$ running $cmd as '%s' in '%s'\n" "$(id -un)" "$(/bin/pwd)"
# Put your ansible-playbook command here.
# And comment out all the other stuff; it's just to prove
# the technique works anyway.
printf "whoami: %s\n" "$(whoami)"
printf "id -a: %s\n" "$(id -a)"
touch /tmp/id-a.test.$$
printf "touch test: %s\n" "$(ls -l /tmp/id-a.test.$$)"
rm -f /tmp/id-a.test.$$
And here’s the output of a run:
PID 1234130 starting /home/utoddl/ansible/id-a.sh as 'utoddl' in '/home/utoddl/ansible'
PID 1234139 starting /home/utoddl/ansible/id-a.sh as 'ansible-unleashed' in '/home/ansible-unleashed'
PID 1234139 running /home/utoddl/ansible/id-a.sh as 'ansible-unleashed' in '/home/ansible-unleashed'
whoami: ansible-unleashed
id -a: uid=123454321(ansible-unleashed) gid=123454321(ansible-unleashed) groups=123454321(ansible-unleashed) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
touch test: -rw-r--r--. 1 ansible-unleashed ansible-unleashed 0 Oct 17 21:54 /tmp/id-a.test.1234139
PID 1234130 ending run of /home/utoddl/ansible/id-a.sh as 'utoddl' in '/home/utoddl/ansible'
This script checks to see if it’s running as the user ansible-unleashed
, and if it isn’t, it re-runs itself with sudo runuser -l ansible-unleashed /home/utoddl/ansible/id-a.sh
which runs the command under the ansible-unleashed
user with a login shell.
Your problem then is to setup password-less sudo for the nut
user for this one command, which is conveniently described here — if you squint a little and substitute a few strings.
This may seem like a lot of fluff to replace a single suid bit, but it avoids (1) some bad practices that (2) no longer work anyway and (3) can be managed without surprises on modern systems.