How can I use SetUID on a shell script to run as a non-root user?
Our company's server is running Ubuntu 12.04 (Precise) and Apache 2. We have a custom, internal web application installed. I have a bash script which pulls any updates to that app from source control to the server. Only one user on the system (the owner of the script file) has the necessary SSH keys to connect to source control, but I would like any user on the system to be able to run this script to update the application.
I've done some research, and it looks like this is exactly the purpose for which the setuid bit was designed, so that any user on the system could run the script and the script would run with the user id of the owner of the script. However, it seems that modern distros ignore the setuid bit for scripts, because of the security risks posed if a script owned by root was executed.
I thought I could get around this for a while by making it a perl script, but as of Precise, there is no suid-perl package anymore either. It looks like this has been deprecated.
I found some sites that recommend getting around this by adding the users to the sudoers file, but my script doesn't require root permissions to run, and it doesn't make any changes to any part of the filesystem except the website, so I'd rather not grant anyone sudoer privileges. The script just requires the permissions of the script owner to run properly.
So, what is the preferred, modern approach to executing a script with the UID of a (different, non-root, non-sudo) user?
You can configure sudo to allow people to run a command as a specific no root user too e.g. in sudoers
user1 (ALL) = (appuser) /path/to/yourapp
would allow the user user1 to run your app as appuser with
sudo -u appuser /path/to/yourapp
Similarly
%somegroup (ALL) = (appuser) /path/to/yourapp
in sudoers would allow the users in the group somegroup to run you app as appuser with
sudo -u appuser /path/to/yourapp