Adding newuser in docker container with sudo privileges - bash

Im trying to build a docker file and one of the reqt is to create a user with sudo permissions.
Here is the bash script
# quietly add a user without password
adduser --quiet --disabled-password --shell /bin/bash --home /home/newuser --gecos "testuser" newuser
# set password
echo "testuser:testuser" | sudo chpasswd
and the docker compose file.
FROM ros
RUN apt-get update
RUN apt-get install -y sudo
ADD run.sh /usr/local/bin/run.sh
RUN chmod +x /usr/local/bin/run.sh
CMD ["/usr/local/bin/run.sh"]
When I run this build I get the following error.
chpasswd: (user testuser) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user testuser) password not changed

I think you're misinterpreting the requirements. Creating an user with sudo permissions is different from creating an user with the sudo command.
Depending on the distribution, an user may run sudo if it belongs to the wheel or sudo group (the latter is the case with Ubuntu, which is the base image used by ros).
I strongly suggest that you use the useradd command instead of adduser. The latter is different in Debian & RedHat based distributions, unlike the former which is the same across Linux distributions and even *BSD if you don't use the long options. Also, the former lets you specify the supplementary groups in the command line (-G option).
useradd -m -s /bin/bash -G sudo newuser
If you use the -p option you could also supply the password in encrypted form (the term in the manpage should be hashed form) without the need to use chpasswd later. Use the output of mkpasswd -m sha-512. (The mkpasswd command is present in the whois package). If you're going to use chpass, use the -e option to supply the password in encrypted form. Never use plaintext.

Related

How to get the output of ssh when the command has a command to change user

When I use ssh to run command on a remote machine, I will get the output from shell. However, if I add
sudo su - user2
I will get no output. Now, I cannot do
ssh user2#host
Because of some permission issue.
Is there any way to get the output for the following command?
ssh user1#host 'sudo su - user2; wc -l tmp.txt'
Thanks to #laenkeio. Using sudo -u user2 can run some simple programs.
However, when I need to call a python script which needs some enviroment variable for user2, the script was not able to find those default path by using sudo -u user2.
If you have the appropriate sudo rights on host you should be able to do it with:
ssh -t user1#host 'sudo -u user2 wc -l tmp.txt'
Using sudo -u means "execute as user2", thus avoiding the extra su -. And -t forces ssh to allocate a tty so that sudo can ask for your password.
If you cannot do ssh user2#host for some permission issue, you'll not be able to run ssh user1#host 'sudo su - user2; ... for the same reason...
And, even with no permission issue, when doing su - user you'll be requested for a password...

Permission denied to Docker daemon socket at unix:///var/run/docker.sock

I have this Dockerfile:
FROM chekote/gulp:latest
USER root
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y sudo libltdl-dev
ARG dockerUser='my-user-name';
ARG group='docker';
# crate group if not exists
RUN if ! grep -q -E "^$group:" /etc/group; then groupadd $group; fi
# create user if not exists
RUN if ! grep -q -E "^$dockerUser:" /etc/passwd; then useradd -c 'Docker image creator' -m -s '/bin/bash' -g $group $dockerUser; fi
# add user to the group (if it was present and not created at the line above)
RUN usermod -a -G ${group} ${dockerUser}
# set default user that runs the container
USER ${dockerUser}
That I build this way:
docker build --tag my-gulp:latest .
and finally run by script this way:
#!/bin/bash
image="my-gulp:latest";
workDir='/home/gulp/project';
docker run -it --rm \
-v $(pwd):${workDir} \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/bin/docker:/usr/bin/docker \
${image} /bin/bash
that logs me into the docker container properly but when I want to see images
docker images
or try to pull image
docker pull hello-world:latest
I get this error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.38/images/json: dial unix /var/run/docker.sock: connect: permission denied
How to create docker image from chekote/gulp:latest so I can use docker inside it without the error?
Or maybe the error is because of wrong docker run command?
A quick way to avoid that. Add your user to the group.
sudo gpasswd -a $USER docker
Then set the proper permissions.
sudo setfacl -m "user:$USER:rw" /var/run/docker.sock
Should be good from there.
The permission matching happens only on numeric user ID and group ID. If the socket file is mode 0660 and owned by user ID 0 and group ID 32, and you're calling it as a user with user ID 1000 and group IDs 1000 and 16, it doesn't matter if one /etc/group file names gid 32 as docker and the other one names gid 16 the same; the numeric gids are different and you can't access the file. Also, since the actual numeric gid of the Docker group will vary across systems, this isn't something you can bake into the Dockerfile.
Many Docker images just run as root; if they do, they can access a bind-mounted Docker socket file regardless of its permissions.
If you run as a non-root user, you can use the docker run --group-add option to add a (numeric) gid to the effective user; it doesn't specifically need to be mentioned in the /etc/groups file. On a Linux host you might run:
docker run --group-add $(stat -c '%g' /var/run/docker.sock) ...
You wouldn't usually install sudo in a Dockerfile (it doesn't work well for non-interactive programs, you usually don't do a whole lot in interactive shells because of the ephemeral nature of containers, and you can always docker exec -u 0 to get a root shell) though installing some non-root user is often considered a best practice. You could reduce the Dockerfile to
FROM node:8
RUN apt-get update
# Trying to use the host's `docker` binary may not work well
RUN apt-get install -y docker.io
# Install the single node tool you need
RUN npm install -g gulp
# Get your non-root user
RUN adduser myusername
# Normal Dockerfile bits
WORKDIR ...
COPY ...
RUN gulp
USER myusername
CMD ["npm", "run", "start"]
(That Docker base image has a couple of things that don't really match Docker best practices, and doesn't seem to be updated routinely; I'd just use the standard node image as a base and add the one build tool you need on top of it.)
open terminal and type this command
sudo chmod 666 /var/run/docker.sock
let me know the results...
You need the --privileged flag with your docker run command.
By the way , you can just use the docker in docker , image from docker for this kind of use case.
https://asciinema.org/a/24707
https://hub.docker.com/_/docker/
The error has nothing to do with docker pull or docker image subcommand, but rather that you need to call the docker command as either a user with write access to the docker socket (for example, by being root, using sudo, or by being in the docker group).

Escaping from sudo within a script

I have a script that calls another script as sudo. From within the second script, I want to be able to run another process without sudo permissions (the process in question is brew, which doesn't play nicely with sudo).
Here's the code in question:
scriptA.sh:
#!/bin/sh
sudo ./scriptB.sh
scriptB.sh:
#!/bin/sh
# This runs as sudo, but I need it to run as a regular user e.g. `username`
brew update
I tried su -c "brew update" -s /bin/sh username, but OS X's su doesn't allow the c flag.
Just use sudo again:
sudo -u username brew update
Superuser can use the su command to become any other user. So
su otheruser -c "command to execute"
OS X su does allow the -c option. You just have to put it after the username. From the man page:
If the optional args are provided on the command line, they are passed to the login shell of the target login. Note that all command line arguments before the target login name are processed by su itself, everything after the target login name gets passed to
the login shell.
In this case -c is not an option to the su command, it's an option to the login shell. And most shells take a -c option to specify a command to execute.

Run sudo as specific user without password

I used the following command in my script
sudo su - user -c bash <<EOF
cp /home/test.txt /opt/
EOF
If I use the sudo su - user on terminal, Unix don't ask me the Password but if I try to run the script the terminal ask me the Password and if I delete the EOF part the rest of code run when I quit the session.
I want to run the command in user mode sudo but the terminal don't Need ask me the Password.
If I use
sudo su - user <<EOF
code
EOF
I have an error in .bash_profile: too many argument
I want to run the command in user mode sudo but the terminal don't
Need ask me the Password.
The scenario you are experiencing is caused by the users cached credentials for sudo, which allow sudo to maintain a session and any further sudo command will not prompt for passwords.
Check this:
Open a new terminal and run sudo whatever, then close it and open another new terminal and run sudo whatever, you will see that sudo asks for password every time...
If you still need to do that, then you have the following options:
Prevent sudo to ask for password permanently:
run sudo visudo and look for the line root ALL=(ALL) ALL, then add a line
username ALL=(ALL) NOPASSWD: ALL
then save and exit.
Note: This is a security risk
Or Prevent sudo to ask for password permanently only for specific script:
run sudo visudo and look for the line root ALL=(ALL) ALL, then add a line
username ALL=NOPASSWD: path_to_the_script
then save and exit
Provide password inside the script, by running your sudo command like this:
sudo -S <<< "password" command
Note: This is a security risk too.
I guess you need to execute your command as a different user. This might be your answer: Run a shell script as another user that has no password
sudo -H -u otheruser bash -c 'echo "I am $USER, with uid $UID"'
It is a quote from the link. Probably the following is better for you:
sudo -H -u otheruser bash <<EOF
cp /home/test.txt /opt/
EOF
UPDATE: You may wish to create a specific sudo rule to run a specific command without password (inside /etc/sudoers file -remember to use visudo to edit it-):
otheruser ALL=NOPASSWD: /full/path/to/your_command.sh
(of course you need root access to edit sudoers, I hope you can do it).
And create the script called your_command.sh that contains your logic. You'll then be allowed to run it without password:
sudo -H -u otheruser your_command.sh
I know, it's not a "single line command" but it is safe as it allows only one specific command without password. And it doesn't require a password, of course!
Then don't use sudo, then it won't ask for password, but you will to be have logged in as root!

Need to use sudo su - in Unix shell script

I am at beginner level and I need to use sudo su - and pwd in one command line in script for two different users. (I'm using pwd as an example; the specific command is not important.)
And I am using command sudo su - user -c pwd. This command works when switching to one user, but not when switching to another.
For example:-
$ sudo su - ora -c pwd
/oracle/
$ sudo su - adm -c pwd
Sorry, user myuser is not allowed to execute '/usr/bin/su - adm -c pwd' as root on server.
$
How can I make it work for 'adm' user too?
sudo is used to run a command as somebody else.
By default it runs a command as root.
You can also supply the -u option to run a command as another user.
You really shouldn't need to use sudo and su together as they do similar jobs.
Sudo does this job in a much more controlled and configurable fashion.
Sudo can be configured to control:
Who can use it.
What commands they can run.
Who they can run them as.
Whether they need to supply their password when doing so.
You can only run one command at a time, so if you need to do several things together you will need to write a script. Alternatively you can chain them together in a one liner. Or finally you can run a shell as the user you require. e.g.:
sudo bash
I think in your case you probably want to use:
sudo -u adm anycommand

Resources