I have user A and user B on a CentOS7 system.
I have full access to user B, but no access to user A. What I want is only from user A, one can su into user B without password. From any other user including ssh one must enter the password. Is this possible to achieve?
To give some context, I am currently creating a Jenkins Job using “Active Choices Parameter”. But the Groovy script that generates the “Active Choices Parameter”s only runs as “jenkins” user while I need access to my “personal” user scripts on the system. Which means I have to “su” from the “jenkins” user into my “personal” user.
As it currently stands I am using echo "password" | su my_user -c "some command" to achieve the effect, but since the script is viewable on the webpage and the Jenkins server is accessible by anyone in the same network, it implies my personal user password is viewable by anyone and people can do malicious thing to my custom account without me knowing.
Is there a way to achieve the effect where I can switch from “jenkins” user to my user without the need to provide a password?
If this is achievable, it is assumed all modification to Jenkins web scripts are monitored and no one will try to do malicious thing using the Jenkins web interface.
The full Groovy script I am currently using is something like below
def cmd = ["/bin/sh", "-c", "echo 'password' | su my_user -c 'cd && ./custom.sh 2>&3' 3>&2 2>/dev/null "]
def output = new StringBuilder(), error = new StringBuilder()
def proc = cmd.execute()
proc.consumeProcessOutput(output, error)
proc.waitForOrKill(5000)
if (!error) {
List lines = output.toString().split( '\n' )
return lines
}
return []
The effect I want is such that there is no “password” showing up in the script.