How to su non-interactively?
Solution 1
You could either use the echo :
echo <otherpwd> | su - otheruser -c "my command line"
or expect:
expect -c 'spawn su - otheruser -c "my command line"; expect "Password :"; send "<otherpwd>\n"; interact'
But this means the password is stored as cleartext in your script, which is never a good thing. Really, sudo would be the best way to go ...
Solution 2
Several ways to become another user.
su
only works without a password if you are already root. Trying to provide a password to it on the command line is a bad idea, it will expose the credential. Don't use su.
sudo
is widely deployed and free. You can deploy policy, including password-less commands, in files or LDAP.
ssh otheruser@localhost
is even more widely deployed. However, you do have to have a passphrase-less key or equivalent.
ksu
is useful in a Kerberos environment. If you already have a ticket you can use that.
pbrun
is a part of PowerBroker, a commercial privilege product that I'm not very familiar with.
dzdo
is a part of Centrify DirectAuthorize, another commercial privilege product.
doas
is OpenBSD's take on execute commands as another user. It seems to have a Linux port, which is fairly recent development.
pfexec
uses role based access control on Solaris. However, you tagged this question Linux.
Related videos on Youtube
NonCreature0714
Updated on September 18, 2022Comments
-
NonCreature0714 over 1 year
I want to do something like this to non-interactively switch user:
su otheruser -p <password>
But this obviously doens't work... what will?
-
Zoredache over 6 yearsIs using
sudo
an option instead? It has the NOPASSWD-based options. -
Zoredache over 6 yearsOr maybe just setup an SSH key-pair, and use
ssh user@localhost
? -
NonCreature0714 over 6 yearsSudo isn’t an option, sorry!
-
allo over 6 years
su -c "yourcommand" otheruser
runs a command just as if you would have typed it into the shell aftersu
.
-
-
Lazarus over 6 yearspbrun isn't really there to allow you to switch user accounts, just as sudo isn't for that reason. Both are intended to allow you to execute commands, applications, etc, in a different user context. This allows you to implement a very secure environment without ever needing direct access to root and limiting the user within the principle of least privilege. sudo allows you to execute commands on the system you are logged into with local or LDAP policy, pbrun allows you to do this across systems with centrally managed and versioned policy (and at a much finer grain).
-
John Mahowald over 6 yearsAnd a primary use case of ssh is for remote shells, not locally switching to another user. I sudo --login all the time. Point being you can be creative with switching user contexts, and sudo is not the only option.