Is it possible for root to execute a command as non-root?
Solution 1
A portable solution would be:
su abc -c google-chrome
However, as google-chrome is requiring X11 access, this will likely fail unless you unsecured it, which would be a very bad idea, especially while running as root.
If X11 tunelling/forwarding is allowed, a better way would be
ssh -X abc@localhost google-chrome
or
ssh -Y abc@localhost google-chrome
Solution 2
Short answer: "Yes, this is possible".
if you like to execute a non-X application then just use the following command:
sudo -u abc command
If you like to run some X application as another user but with your own desktop first you need to create a helper script, that will make your life simpler
- create a bin folder under your home directory:
mkdir -p ~/bin
and using your favorite text editor create a file ~/bin/xsudo
as follows:
#!/bin/bash
# (C) serge 2012
# The script is licensed to all users of StackExchange family free of charge
# Fixes/Enhancements to the script are greatly appreciated.
#
# SUDO_ASKPASS has to be set to the path of ssh-askpass
# fix the following two lines if your distribution does not match this autodetection
. /etc/profile.d/gnome-ssh-askpass.sh
export SUDO_ASKPASS="${SSH_ASKPASS}"
SUDOUSERNAME="$1"
shift
xauth nlist "${DISPLAY}"|sudo -HA -u $SUDOUSERNAME env --unset=XAUTHORITY \
bash -c "xauth nmerge - ; $*"
then make it executable:
chmod +x ~/bin/xsudo
and use it the same way as sudo
but without any switches:
xsudo user application
Enjoy.
P.S. Starting xsession
from the root
account is strongly discouraged!
Solution 3
#! /bin/bash
# (GPL3+) Alberto Salvia Novella (es20490446e)
execute () {
function="${1}"
command="${2}"
error=$(eval "${command}" 2>&1 >"/dev/null")
if [ ${?} -ne 0 ]; then
echo "${function}: $error"
exit 1
fi
}
executeAsNonAdmin () {
function="${1}"
command="${2}"
eval setPasswordAsker="SUDO_ASKPASS=/usr/libexec/openssh/ssh-askpass"
run="runuser ${SUDO_USER} --session-command=\"${setPasswordAsker}\" --command=\"${command}\""
execute "${function}" "${run}"
}
executeAsNonAdmin "" "${@}"
Solution 4
There is a way to run chromium when logged in to the root user. If you open it normally, it will give you an error like "chromium cannot be run as root."
To run it without the error, right click your desktop, create a new launcher with the command: chromium-browser --user-data-dir
. You can name it what you want, save it, when you open it, it will give you the chromium browser. (Works in Ubuntu 10.04.4 LTS)
Related videos on Youtube
Comments
-
adnan kamili over 1 year
I am a root user, and suppose I want to run any application as another user. Is this possible, without switching to another user?
Something like
# google-chrome user=abc
I am actually executing a CLI program as a non-root user. I have set the sticky bit on and I am using setuid, so the program runs with root privileges. Now I am using
system()
within the program to invoke a GUI app. But I don't want to run it as root, so I want to temporarily drop root privileges only for that call.-
kojiro over 11 years@Keith nothing in the question implies most of the time.
-
Keith over 11 yearsOr not, that's why I ask for clarification.
-
ctrl-alt-delor over 11 yearsYes that is how the first program for each user is run. The first process on the system is run as root. There are a lot of ways to drop privilege, including all the ways that can escalate privilege, plus some more.
-
-
jlliagre over 11 yearsDid you try it ? I'm afraid this particular example can't work.
-
Serge over 11 yearsYes, because in order to start an X application from another user session you have to allow access to you display. But this is also possible. Unfortunately I do not remember how exactly this to be done.
-
Serge over 11 years@jlliagre However, I remember how to start an X app on the same host in a tricky way:
ssh -X abc@localhost google-chrome
:) -
Serge over 11 yearsHmm... I'm writing in comments what you already posted 22 mins ago...
-
jlliagre over 11 yearsBut you still have 6 up votes for a non working solution while I only got one for a correct one. StackExchange model is sometimes quite frustrating ...
-
Serge over 11 years@jlliagre 1) it is working solution as the question is clear: "Is it possible for root to execute a command as non-root"; and then: "Say..." 2) I do not look at votes at all: very often I see that for absolutely equivalent answer people voting in favor of the one who has higher reputation regardless of the fact that the first answer was given by the other person with score of 1.
-
badboy24 over 11 years
DISPLAY=:0 sudo -u abc google-chrome
? (Assuming same machine, at least) -
Serge over 11 years@lzkata DISPLAY=:0.0 is already set in my case (am starting the sudo form Xterminal window). I need to solve XAuth problem to provide complete answer, but now have no time to refresh my mind, thanks any way)
-
Serge over 11 years@jlliagre Take a look, please
-
Steve about 6 yearsWhy would the ssh approach be any better? Wouldn't this still run using the root user's X session?
-
jlliagre about 6 years@Steve Using
su abc -c google-chrome
will likely fail in the first place becauseabc
cannot use root's session,.Xauthority
being unreadable forabc
. -
Steve about 6 yearsOops sorry I misunderstood you, I thought you meant it would be better from a security perspective