How to run command as user who has /usr/sbin/nologin as Shell?

All I need to do is to run a specific script as a particular user who does have the nologin/false shell indicated in /etc/passwd.

I would run the script as root and this should run as another user. Running:

~# su -c "/bin/touch /tmp/test" testuser

would work, but I need a valid shell for the testuser. I know I can disable the password with passwd -d testuser and leave the shell to /bin/bash this way would secure a little bit but I need to have nologin/false shell.

Basically what I need is what crontab does when we set jobs to be running as a particular user, regardless this one has nologin/false shell.

p.s I found this thread Executing a command as a nologin user, but I have no idea how to concatenate the command su -s /bin/sh $user to the script I need to run.

What if su is root:root -rwsr-x--- ?

How do you pass parameters to sudo -u apache whoami?

What if the user doesn't have a password?

@CMCDragonkai That is left as an exercise for the student.

@CMCDragonkai Any parameters after the command will be passed along. You can think of it like "sudo [-u apache] [whoami <param1> <param2>]".

@Wesley Found out that you need to be root to run that command for passwordless user.

@lain, If the user is supposed to not have a shell, the process related to the command should not be a child of a bash process. Thus, you should also use exec to replace the shell with the script. And if you like to make the script a child of init, you just use &, as an example su -s /bin/bash -c 'exec /path/to/your/script &' test

I think using sudo -u is probably not a good idea for running commands as a nologin user, because it exposes the SUDO_USER in the environment who is the real one invokes the command. Maybe I am just overthinking it.

@CMCDragonkai use sudo: sudo su -s ...

this gives This account is currently not available.

Please do not post link-only answers to prevent link rot. Instead, add the most relevant information from the link to your answer or alternatively, post the link as a comment instead of an answer. See this serverfault.com/help/how-to-answer help center article for further information.

@FedericoGalli the most relevant information is already added, there is no need to copy and paste the usage, the man page provides enough information

If called from root, runuser is preferable. It is compatible whith su.

Anyone know the mac way to do this? -s isn't an option

That's exactly the solution from the highest rated answer.

Just as a reminder, for me and others who work with Zabbix: this example is EXTREMELY USEFUL, when it comes to commands that require sudo permissions. Example: if you provide access to nginx -t to zabbix user via sudoers, and want to test the command sudo /usr/sbin/nginx -t. You can run su -s /bin/bash -c 'sudo /usr/sbin/nginx -t' zabbix, even when zabbix user has nologin as shell.