How to su non-interactively?

linux scripting user-management

14,571

Solution 1

You could either use the echo :

echo <otherpwd> | su - otheruser -c "my command line"

or expect:

expect -c 'spawn su - otheruser -c "my command line"; expect "Password :"; send "<otherpwd>\n"; interact'

But this means the password is stored as cleartext in your script, which is never a good thing. Really, sudo would be the best way to go ...

Solution 2

Several ways to become another user.

su only works without a password if you are already root. Trying to provide a password to it on the command line is a bad idea, it will expose the credential. Don't use su.

sudo is widely deployed and free. You can deploy policy, including password-less commands, in files or LDAP.

ssh otheruser@localhost is even more widely deployed. However, you do have to have a passphrase-less key or equivalent.

ksu is useful in a Kerberos environment. If you already have a ticket you can use that.

pbrun is a part of PowerBroker, a commercial privilege product that I'm not very familiar with.

dzdo is a part of Centrify DirectAuthorize, another commercial privilege product.

doas is OpenBSD's take on execute commands as another user. It seems to have a Linux port, which is fairly recent development.

pfexec uses role based access control on Solaris. However, you tagged this question Linux.

14,571

NonCreature0714

Updated on September 18, 2022

Comments

NonCreature0714 over 1 year
I want to do something like this to non-interactively switch user:
```
su otheruser -p <password>
```
But this obviously doens't work... what will?
- Zoredache over 6 years
  
  Is using sudo an option instead? It has the NOPASSWD-based options.
- Zoredache over 6 years
  
  Or maybe just setup an SSH key-pair, and use ssh user@localhost?
- NonCreature0714 over 6 years
  
  Sudo isn’t an option, sorry!
- allo over 6 years
  
  su -c "yourcommand" otheruser runs a command just as if you would have typed it into the shell after su.
Lazarus over 6 years

pbrun isn't really there to allow you to switch user accounts, just as sudo isn't for that reason. Both are intended to allow you to execute commands, applications, etc, in a different user context. This allows you to implement a very secure environment without ever needing direct access to root and limiting the user within the principle of least privilege. sudo allows you to execute commands on the system you are logged into with local or LDAP policy, pbrun allows you to do this across systems with centrally managed and versioned policy (and at a much finer grain).
John Mahowald over 6 years

And a primary use case of ssh is for remote shells, not locally switching to another user. I sudo --login all the time. Point being you can be creative with switching user contexts, and sudo is not the only option.