I am having a lot of trouble launching an AWS Ubuntu instance (from a Cloud Formation template) and successfully running a script on startup. This script does run, but I do not want it running as root. I want the script to either be invoked as a different user or when the script runs for the script to change user.
Since we are attempting to use Cloud Formation, I need to put the script or a reference to the script in my Template file. The relevant part of my template file is below. The script 'myScript.sh' does run, but always as root.
"MyImage" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "xxxxxx",
"KeyName" : "xxxxxx",
"SecurityGroups" : [ "xxxxxx" ],
"UserData" : {"Fn::Base64" : {"Fn::Join" : ["", [
"#include\n",
"https://s3-eu-west-1.amazonaws.com/aFolder/myScript.sh \n"
] ] } }
}
}
},
From the URL: http://alestic.com/2009/06/ec2-user-data-scripts it states that these scripts always run as root. So instead I decided to modify the script to change the user. Below is an example script that does not do what I want. I've commented it inline to explain what each stage does:
#!/bin/bash
whoami > /home/ubuntu/who1.txt # Always returns 'root'
su ubuntu # Appears to have no effect. Ubuntu user does exist
whoami > /home/ubuntu/who2.txt # Always returns 'root'
su ubuntu echo fish > /home/ubuntu/aFile.txt # File is not created
sudo -u ubuntu bash # Appears to have no effect
whoami > /home/ubuntu/who3.txt # Always returns 'root'
I'm guessing that there's something fundamentally wrong with my script, but I just can't see it! has anyone got any experience with AWS and Cloud Formation and have you succeeded in running a script not as root? I really don't want the script running as root since the activities that are going to be started should not be owned at the root level.
Thanks, Phil
By default, the user data scripts are run one time when you launch the instance. To run the user data scripts every time you reboot or start the instance, add <persist>true</persist> to the user data.
Choose Actions, choose Instance Settings, and then choose Edit User Data. 6. Copy your user script into the Edit user data box, and then choose Save. The following example is a shell script that writes "Hello World" to a testfile.
You could use userdata script at instance launch time. Remember this is just 1time activity. If your requirement is to start the script everytime you reboot EC2 instance then you could make use of rc. local file on Linux instances which is loaded at OS boot time.
su
doesn't change the user for the remainder of the script, it starts a new interactive shell for the user you specify. In a non-interactive context like your script here, that shell exits immediately because there is nothing for it to do.
See this question for some suggestions on how to change user for a series of commands. Alternatively for individual commands you can do sudo -u ubuntu [...]
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With