compute engine startup script can't execute as a non-root user
Boiling my issue down to the simplest case, I'm using Compute Engine with the following startup-script:
#! /bin/bash
sudo useradd -m drupal
su drupal
cd /home/drupal
touch test.txt
I can confirm the drupal user exists after this command, so does the test file. However I expect the owner of the test file to be 'drupal' (hence the su). However, when I use this as a startup script I can still confirm ROOT is the owner of the file:
meaning my
su drupal
did not work. sudo su drupal also does not make any difference. I'm using Google Container OS, but same happens on a Debian 8 image.
sudo su is not a command run within a shell -- it starts a new shell.
That new shell is no longer running your script, and the old shell that is running the script waits for the new one to exit before it continues.
The sudo su command will start a new shell. The old shell waits for the old one to exit and continues executing the rest of the code.
Your script is running in the 'old' shell, which means these commands:
cd /home/drupal
touch test.txt
are still executed as root and thus the owner of these files is root as well.
You can modify your script to this:
#! /bin/bash
sudo useradd -m drupal
sudo -u drupal bash -c 'cd ~/; touch text2.txt'
and it should work.
The -u flag executes the command as the user specified, in this case 'drupal'
- Terraform - GCP - Import project IAM member
- Getting random "User not found in file /etc/passwd" error on Cloud Run Job
- Change time format in GCP Logs Explorer
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Deploying a pelican site to Google Cloud Run with Dockerfile not working
- Is there a good explanation of resource labels versus metric labels?
- Why do I set the resource type when writing the metric but not when creating a descriptor?
- google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)
- GA4 Data Not Retained for More Than 60 Days Despite BigQuery Table Expiration Set to 'Never
- How to list all enabled API services for Google Cloud Platform project
- Google Cloud calendar API connection error
- Downloading a folder from cloud storage in GitHub action and move it inside a docker container is not working
- How to fix CloudRun error 'The request was aborted because there was no available instance'
- Google Cloud Build with Dockerfile and copy files
- Firebase CLI console: Cannot find module @google-cloud/tasks
- Does Cloud SQL have a query console or is CLI the only option?
- How to use Google Cloud Shell with the new Windows Terminal
- Why does GKE kubernetes cluster need a version?
- Unable to Read Mounted GCSFuse Directory After Adding --implicit-dirs Option
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)
- Connection between Private GKE and Cloud SQL
- Kubernetes cluster architecture
- Validating PubSub message against AVRO JSON schema with multiple union types
- Can i run cloud run jobs locally
- How to log SSL/TLS Handshake details on Google Cloud Load Balancer
- Utilizing Gemini: Through Vertex AI or through Google/generative-ai?
- How to use Puppeteer in 2nd gen Cloud Functions?
- GCP Logging: who created a Project?
- Connection broken: IncompleteRead in Google Cloud Run
- How do I query firestore data that is inside collections in said document?