I'm running a home automation package called HomeSeer on a Ubuntu 15.04 server. I have it configured to run with a service account (called "_homeseer"), and I've chown'd the app directory to _homeseer:_homeseer.
To install updates to this package, I download a tar.gz file and then run the vendor-supplied "update.sh" script. This script extracts the compressed file, which happens to also overwrite itself (update.sh)... so I'm thinking I can't just change that script, unless I copy it out to a separate folder somewhere.
As part of update.sh, there's a line that calls "sudo update_extra.sh". Since I'm running update.sh as the service account, this sudo line prompts for the service account's password... which I don't remember (nor do I think I want to).
I don't want to grant that account full sudo rights without a password, as it would be a significant security risk (i.e., the app runs a web server). I'm also a bit wary of giving it full sudo rights to run that update_extra.sh file as root, since that file can be updated by the same service account.
My question:
Is it possible to configure sudo (i.e., visudo) so if the _homeseer account tries to use sudo, it instead prompts for my personal account's password, and runs with the sudo rights that I have? I'd rather not set a root password if I can avoid it... but a preliminary look seems to indicate I might not have much of a choice, if I want to go this route.
Or do I need to modify that update.sh script, configure group permissions so I can apply the updates as myself, and chown to the service account afterwards?