JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 7

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This article applies to the JS7 Agent for Unix only. For Windows environments see JS7 - Running Jobs as a different User on Windows

Basics

Users can choose

  • to

...

  • operate the Agent as a non-root run-time account:
    • This allows to use sudo to switch to other user accounts.
    • This requires to configure sudo permissions for switching user accounts.
  • to operate the Agent as the root run-time account:
    • This allows the Agent to execute any commands and scripts independently from ownership.
    • This allows the Agent to switch to any user account using su.
    • It is not recommended to operate the Agent as root as this includes unlimited permissions and introduces security risks.

...

To allow user switching the Agent's run-time account a Shell job script can use sudo like this:

Code Block
languagebash
titleExample for using sudo from a non-root account
linenumberstrue
sudo -su <user>user1 <<EOF
whoami
pwd
EOF


Explanation:

  • <user> is user1 is any user account available from the operating system for which a login is performed.
  • For execution of multiline commands a Here String is used:
    • The commands between <<EOF (line 1) and EOF (line 4) are executed using sudo.
    • Instead of EOF any unique string can be used that does not match one of the commands to be executed.
    • Using <<'EOF' will prevent substitution in a Here String.
  • Executing sudo from a non-root account requires the sudo configuration to be in place. The location of the sudo configuration file depends on the operating system, for example /etc/sudo.conf or /etc/sudoers.
    • Example

      • To allow the Agent run-time account to run jobs on user accounts user1, user2 the following setting can be used in the sudo configuration file.

        • <run-time-account> ALL=(user1, user2) NOPASSWD: ALL

      • To allow the Agent run-time account to run jobs on all user accounts the following setting can be used:

        • <run-time-account> ALL=(ALL) NOPASSWD: ALL

      • The NOPASSWD setting is required to allow the account to use sudo without specifying a password.

...

If the Agent is operated from the root account it can use the following command in a Shell job script to switch to a different user account:

Code Block
languagebash
titleExample for using su from the root account
linenumberstrue
su -l <user>user1 <<EOF
whoami
pwd
EOF


Explanation:

  • <user> is user1 is any user account available from the operating system for which a login is performed.
  • For execution of multiline commands a Here String is used:
    • The commands between <<EOF (line 1) and EOF (line 4) are executed using su.
    • Instead of EOF any unique string can be used that does not match one of the commands to be executed.
    • Using <<'EOF' will prevent substitution in a Here String.
  • Executing su from the root account does not require to specify the account's password.

...