对sudo vs su和正在运行的脚本感到困惑

Question

When I do sudo su - john I become user john without asking for a password.
But when I do: sudo su - john /usr/share/script_to_run.pl I am asked for a password. Same also for sudo -u john /usr/share/script_to_run.pl

Why? What am I doing wrong here?

Answer 1

Now, first of all, the - means that you want a login shell. The first statement means that you want to, as root (hence the sudo ), want to make it appear as you logged in as john . Somewhere it is configured that the user you are currently logged in as has the rights to do sudo without using a password.

What happens in the first instance is that you execute one command su - john (meaning "log me in as john ), and you do that as root (since you put sudo first). Your current user has sudo-without-password-rights, and root has the right to become any user.

The second try is wrong. You can't use su to execute a command in that way, and when you want su to execute a single command, I see no reason to make it a login shell.

In the third option, you (as the currently logged in user) want to "become" john for one command. For that, you will need john s password. (When you do this as root , however, you don't need the password.)

To make it work you could probably try

sudo su --command="/usr/share/script_to_run.pl" john

or maybe even the more exotic looking

sudo sudo -u john /usr/share/script_to_run.pl

Answer 2

"sudo" was designed to give all the functionality of "su", but not require them to use the other user's password. The answers you need are within the /etc/sudoers file, editable with the "sudo visudo" command. here you will find that you can make your user not require a password:

cratylus ALL=(ALL)       NOPASSWD: ALL

thence submit queries with

sudo -u cratylus the statement 

note: don't quote the statement - you only do this for the "su -c" command.