We’re having a strange issue here. Unfortunately I’m not at liberty to post the code here because it belongs to the vendor, but hopefully can provide enough info so that isn’t necessary.
Much could be explained if someone here could definitively say whether or not it is possible for ‘bob’ to execute “some_script.sh”, and have it exit out of his su’d session MID-WAY and have the remainder of the script continue as user ‘pete’ (who originally su’d to impersonate ‘bob’)
I’m fairly certain that this is not possible, but is there anyone out there that knows otherwise?
Things to keep in mind:
- scriptA.sh executes multiple other processes (serially) which make changes to a database
- lets assume that these are 01.sql through to 10.sql.
- It does this by executing ‘sqlplus’ with appropriate arguments.
- The ‘sqlplus’ binary is available to user ‘bob’, but NOT user ‘pete’.
- User pete is currently su’d into user ‘bob’, because pete doesn’t have sqlplus on his PATH.
- The output we saw in the script/database suggested that the ’01.sql’ was executed successfully, but not the others – they failed with a ‘sqlplus command not found’ error.
Cheers,
From the information you’ve given, “No. It is not possible.”
If user ‘pete’
su‘s to ‘bob’, he creates a new shell as ‘bob’. Any processes started from that new shell are run as ‘bob’. Any script, if run as ‘bob’, cannot change it’s user/UID to ‘pete’. Any processes started as ‘bob’ cannot change their user/UID (absent setuid bit on the executable).It’s far more likely that part of the script is modifying the shell environment and changing its PATH or some other error within the script.