The opposite of su: run a command without root privileges
Solution 1
I would personally invert your strategy and run the script as a non-privileged user, with sudo used to run the commands requiring root privileges. Is there any specific reason you need to run the script as root?
To answer your question however, you can use the -c flag to run a specific command as a user:
su someuser -c "touch /tmp/file"
Reference: http://linux.die.net/man/1/su
Solution 2
I don't want to rely on the hypothesis that a particular username exists on the machine.
There are advantages being the superuser... :-)
scriptuser_created=no
scriptuser=myuser
if ! id "$scriptuser" &>/dev/null
adduser --system "$scriptuser"
scriptuser_created=yes
fi
sudo -u "$scriptuser" command1
sudo -u "$scriptuser" command2
sudo -u "$scriptuser" command3
if [ yes = "$scriptuser_created" ]; then
userdel "$scriptuser"
fi
Related videos on Youtube
John Smith Optional
Updated on September 18, 2022Comments
-
John Smith Optional over 1 year
I'm writing a shell script where most commands don't require root privileges. The script should be ran by the administrator. But I would like to be able to "su" to a normal user account for the parts of the scripts that don't require root privileges. This would minimize the number of operations done with root privileges and would improve security.
Is there a linux command to do that?
I know it is possible to su to any user account but I don't want to rely on the hypothesis that a particular username exists on the machine.
I thought of creating a temporary account for the time of the script and delete it at the end of the script. But if I don't set a password on this account, wouldn't an attacker be able to use it during the short lifetime of the account? I can't set the user shell to /sbin/nologin because apparently this prevents
executing commands in a shell script"suing" to the account.Thanks for your help.
-
Sirex almost 11 yearsWhy not just have your admin run the script from their normal, unprivileged user account, and sudo as needed ?
-
Zoredache almost 11 years
But if I don't set a password on this account
- Don't set an empty password. Set a Disabled password. Store a*
in the password field for the account you create. You can use the account, but you cannot authenticate to it using password authentication. All your services accounts are already doing this. See your/etc/shadow
. -
John Smith Optional almost 11 yearsThanks for the tip. Can it be done directly with the useradd command?
-
Čamo about 3 yearsCan you show us the command which creates temp user?
-
-
John Smith Optional almost 11 yearsThanks for your reply. I edited my message while you were replying. I added the requirement that I don't want to rely on the existence of a particular username on the machine. I'd like to be able to distribute the script without worrying about what other user accounts exist on the computer and how they are set up.
-
ObiwanKeTobi almost 11 yearsI'm unsure if this answers the original question - it wasn't asking if the script could detect if it was running as the correct user, but the script should be run as root and drop to a non-privileged user where appropriate.
-
Michael Hampton almost 11 yearsThis is the Right Way.
-
John Smith Optional almost 11 yearsThanks, I think I'm going to do that but that means I'll have to take care of a sudoers file on every machine and make sure they are synchronized. I guess you're right, though. This is the best way.
-
James Shewey almost 8 yearsJust because something is the best way does not mean it answers the question or applies in all cases. For example, I am writing a script to check that the root user's password is not an old company default. Unfortunately su doesn't require a password when root runs it, so I need to de-escalate privileges so that I can re-escalate privileges but can't be sure any given account exists because this has to all happen at deployment time via kickstart. I'd rather not create a user I will only ever need once to do this.
-
chicks about 7 yearsIsn't this a bit redundant to the existing answers?
-
Sum1sAdmin over 5 yearsyou not doing that the best way, or the easy way
-
dasj19 almost 5 years... and if the user does not have a shell assinged to its account (as is the case of www-data on debian servers)... you can specify which shell to use with:
su www-data -s /bin/sh -c "touch /tmp/file"