I think you're trying to make sudo work in a way that it is not ment to - you don't want to add the 'simple' user to the sudoers file (please correct me if i'm wrong).
In that case sudo isn't the tool you want to use you want to issue su -c <command>
this will prompt for the root password, execute the command, then exit.
The problem here is very straightforward. Look at the order of things:
mysql -u$myuser -p$mypass -rs -e "CREATE USER '$dbuser'@'localhost' IDENTIFIED BY '$dbpass';";
mysql -u$myuser -p$mypass -rs -e "GRANT USAGE ON *. * TO '$dbuser'@'localhost' IDENTIFIED BY '$dbpass' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;";
mysql -u$myuser -p$mypass -rs -e "CREATE DATABASE IF NOT EXISTS $dbname ;";
mysql -u$myuser -p$mypass -rs -e "GRANT ALL PRIVILEGES ON $dbname . * TO '$dbuser'@'localhost';";
mysql -u$myuser -p$mypass -rs -e "FLUSH PRIVILEGES ;";
The first three(3) lines cannot be performed by $myuser
because . A superuser (such as root@localhost
) must perform the first three lines.
Here is something additional: Only root@localhost
can perform FLUSH PRIVILEGES;
. However, it is not even necessary because the GRANT
command internally performs FLUSH PRIVILEGES;
.
With these things in mind, this is how you can create new users with its own database:
rootuser=root
rootpass=rootpassword
myuser=creator
mypass=xxxx
dbuser=newuser
dbname=newdb
mysql -u$rootuser -p$rootpass -rs -e "CREATE USER '$dbuser'@'localhost' IDENTIFIED BY '$dbpass';";
mysql -u$rootuser -p$rootpass -rs -e "GRANT USAGE ON *.* TO '$dbuser'@'localhost' IDENTIFIED BY '$dbpass' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;";
mysql -u$rootuser -p$rootpass -rs -e "CREATE DATABASE IF NOT EXISTS $dbname ;";
mysql -u$rootuser -p$rootpass -e "GRANT ALL PRIVILEGES ON $dbname . * TO '$dbuser'@'localhost';";
If you seriously do not want to user root@localhost
, create the user as follows:
Step 01) As root@localhost
, login to mysql and run
SELECT PASSWORD('creatorpassword');
This will return a 41-character MD5-like string.
Step 02) As root@localhost
, login to mysql and run
SET SQL_LOG_BIN=0;
GRANT ALL PRIVILEGES ON *.* to creator@localhost IDENTIFIED BY PASSWORD '41-character MD5-like string';
This creates the user and sets his password. The first line SET SQL_LOG_BIN=0
simply prevents the command from being recorded in the binary logs if you have binary logging enabled.
Step 03) Remove the commands from the audit history of mysql.
Every time you login to mysql, the commands are recorded in a file called .mysql_history
. Run ths
cd
vi .mysql_history
Once you enter into vi
, run /SELECT PASSWORD
, hit enter. This will place you at the line where the command to print the PASSWORD function from text was done. Simply hit dd
and ZZ
, and you are done.
Going forward, you can user creator@localhost with the same rights as root@localhost and you have hidden the password well. You will just have to maintain its integrity.
Best Answer
I would personally invert your strategy and run the script as a non-privileged user, with sudo used to run the commands requiring root privileges. Is there any specific reason you need to run the script as root?
To answer your question however, you can use the -c flag to run a specific command as a user:
Reference: http://linux.die.net/man/1/su