How to execute a command with admin privileges and access to files of the logged in user?
Solution 1
sudo
always requires the executing user's password (and requires that you have specific permissions to do this, i.e. are one of the sudoers
).
su
requires the password of the target account (root
by default, but root account has no password on OS X by default). If you use su
instead, you can enter the destination account's password and execute a command using that user's privileges.
su -c some_cmd # as root
su username -c some_cmd # as username
This works by passing all arguments after the user name to the destination account's login shell. Shells usually support -c <commands>
arguments. In GNU coreutils su
, there's an actual -c command
argument to su
that can be placed before the user name.
You can su
to another user account (using the other user account's password), and sudo
from there, provided that other account is a sudoer
.
If you want neither to enter another account's password, nor give your regular account sudoers
permissions, you're pretty much out of options unless you consider SSH with key authentication or something like that.
Solution 2
Unless you really "need" to maintain a separate root user on Mac OS X, it's often much easier to just get a root shell using sudo -s
In your case, non-admin users are not included in /etc/sudoers - so you would have to add by hand the users/groups you intend to have sudo accept.
# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
Once that's done, sudo will inherits almost all of the nice things from your shell like PATH and other variables, but elevates your non-admin user instantly to root. The downside of enabling root is time and the security risk of someone actually logging in locally or remotely as root.
Keep in mind, sudo
is asking for the password of the user that logged in to the loginwindow screen. su -
wants the password of the root account, sudo -s
uses privilege escalation to use the current user's password to become root without needing any (or in your case, the actual) root password.
Solution 3
If you are using a standard account (usually for security reasons) and you know an administrator username and password, you can do su -l admin_user
. After entering the password, you are now, for all effects, acting as that administrator. Then you can sudo
to your heart's content. Now, just logout
to go back to your original plain account.
Related videos on Youtube
robertj
Updated on September 18, 2022Comments
-
robertj almost 2 years
I have some problems understanding
sudo
. I am logged in on a terminal as an non-admin/non-root user. This "normal" user is not in the sudoers file (and shouldnt be, in my opinion).Now I try to execute a command that needs admin/root privileges and also access to directories of my normal user β therefore I am not able to simply
su
into an admin or root user.In my understanding
sudo -u root
should do the trick β however it doesn't accept the password forroot
(or admin if I try with my normal admin user). It only accepts the password of the "normal" user which seems to indicate that the-u username
option doesn't work the way I expect it to work.My expectation is that
sudo -u root some_command
executessome_command
with the privileges of root and therefore it asks also for the password of root. Obviously not.TL;DR: How do I execute any command that requires admin privileges AND has access to the files of the "logged in (normal) user" without adding the normal user to the sudoers file?
I have enabled the root user under Mac OS X 10.7.
-
robertj almost 13 yearsHi, thanks for the answer. I am not sure if I do understand you correct. As far as I can tell if I su into root I will loose access to the files of the initially logged in user - however this is exactly what I need. Let me be more concrete: I am using npm (node package manager) to install a self written package into the global package registry on my machine. For this to do i need access to "/usr/local/lib/node_modules/..." which the loggedin user (let say "robert") doesnt have. The package resides in "~/my_package". su doesnt help as it has no access to this folder (next comment)
-
robertj almost 13 yearsand adding "robert" to the sudoers file seems like total overkill to me.
-
Motsel about 11 yearsI'm running OS X 10.8.3 and 'su -c' is not recognized as a valid option for me...: "su: illegal option -- c"
-
Motsel about 11 yearsThanks! Is it also possible to combine this with sudo AND only have to type in the (same) password 1 time? Something like this: su username -c 'sudo some_cmd'
-
HikeMike about 11 years@Daps0l Not that I know of, except by allowing username to run
some_cmd
as root all the time (look forNOPASSWD
inman sudoers
). (If the down vote I received for this answer is yours, I'd appreciate if you could undo that) -
cuskus almost 8 yearsThis solved my problem: superuser.com/a/1021174/622740
-
solgar over 7 yearsSudo doesn't always require password. Calling sudo updates timestamp and allows to run sudo without giving password for a couple of minutes (this varies between OSes).