How to run command as user who has /usr/sbin/nologin as Shell?
Solution 1
You can use the -s switch to su to run a particular shell
su -s /bin/bash -c '/path/to/your/script' testuser
(Prepend sudo
to the above if testuser
is a passwordless user.)
Solution 2
You can do this with sudo -u
if you have it installed:
# whoami
root
# sudo -u apache whoami
apache
# getent passwd apache
apache:x:48:48:Apache:/var/www:/sbin/nologin
Solution 3
By providing the script as the argument to execute to /bin/sh:
su -s "/bin/sh /your/script/location" username
Solution 4
actually, the best way to do this is via runuser
see the man page for details
this tool is used to deal with the situation as the developer said in his bolg
Whenever an service is running as root and wants to change UID using the shell it should use runuser.
http://danwalsh.livejournal.com/55588.html
i've post this answer in many palaces, forgive me if you find this annoying
Solution 5
just realized :
su -s "/bin/bash" -c "/bin/touch /tmp/testuser" testuser
maybe there is a better way ?!
Related videos on Youtube
Tommaso
Updated on September 18, 2022Comments
-
Tommaso over 1 year
All I need to do is to run a specific script as a particular user who does have the
nologin/false
shell indicated in/etc/passwd
.I would run the script as root and this should run as another user. Running:
~# su -c "/bin/touch /tmp/test" testuser
would work, but I need a valid shell for the testuser. I know I can disable the password with
passwd -d testuser
and leave the shell to/bin/bash
this way would secure a little bit but I need to havenologin/false
shell.Basically what I need is what
crontab
does when we set jobs to be running as a particular user, regardless this one hasnologin/false
shell.p.s I found this thread Executing a command as a nologin user, but I have no idea how to
concatenate
the commandsu -s /bin/sh $user
to the script I need to run. -
Patryk about 9 yearsWhat if su is
root:root -rwsr-x---
? -
CMCDragonkai almost 9 yearsHow do you pass parameters to
sudo -u apache whoami
? -
CMCDragonkai almost 9 yearsWhat if the user doesn't have a password?
-
Wesley almost 9 years@CMCDragonkai That is left as an exercise for the student.
-
Handyman5 almost 9 years@CMCDragonkai Any parameters after the command will be passed along. You can think of it like "sudo [-u apache] [whoami <param1> <param2>]".
-
CMCDragonkai over 8 years@Wesley Found out that you need to be root to run that command for passwordless user.
-
Facundo Victor about 8 years@lain, If the user is supposed to not have a shell, the process related to the command should not be a child of a bash process. Thus, you should also use exec to replace the shell with the script. And if you like to make the script a child of init, you just use &, as an example
su -s /bin/bash -c 'exec /path/to/your/script &' test
-
Meow about 8 yearsI think using
sudo -u
is probably not a good idea for running commands as a nologin user, because it exposes theSUDO_USER
in the environment who is the real one invokes the command. Maybe I am just overthinking it. -
Calimo over 7 years@CMCDragonkai use sudo:
sudo su -s ...
-
knocte about 7 yearsthis gives
This account is currently not available.
-
Federico Galli about 6 yearsPlease do not post link-only answers to prevent link rot. Instead, add the most relevant information from the link to your answer or alternatively, post the link as a comment instead of an answer. See this serverfault.com/help/how-to-answer help center article for further information.
-
Y00 about 6 years@FedericoGalli the most relevant information is already added, there is no need to copy and paste the usage, the man page provides enough information
-
user3132194 about 6 yearsIf called from root,
runuser
is preferable. It is compatible whithsu
. -
Ray Foss almost 6 yearsAnyone know the mac way to do this?
-s
isn't an option -
dortegaoh over 4 yearsThat's exactly the solution from the highest rated answer.
-
ivanleoncz almost 4 yearsJust as a reminder, for me and others who work with Zabbix: this example is EXTREMELY USEFUL, when it comes to commands that require sudo permissions. Example: if you provide access to
nginx -t
tozabbix
user via sudoers, and want to test the commandsudo /usr/sbin/nginx -t
. You can runsu -s /bin/bash -c 'sudo /usr/sbin/nginx -t' zabbix
, even whenzabbix
user hasnologin
as shell.