runuser sudo su

By OK -
You can use the following commands to run as another user or as root user.

#1: runuser command

The runuser command run a shell with substitute user and group IDs. This command is useful only when run as the root user:
Only session PAM hooks are run, and there is no password prompt. If run as a non-root user without privilege to set user ID, the command will fail as the binary is not setuid. As runuser doesn’t run auth and account PAM hooks, it runs with lower overhead than su.
The syntax is:
runuser -l  userNameHere -c 'command'
runuser -l  userNameHere -c '/path/to/command arg1 arg2'
For example, as a root user you may want to check shell resource limits for oracle user, enter:
# runuser -l oracle -c 'ulimit -SHa'
OR check nginx or lighttpd web server limitations:
# runuser -l nginx -c 'ulimit -SHa'
OR
# runuser -l lighttpd -c 'ulimit -SHa'
Sometime, a root user can not browse NFS mounted share due to permission (security) issue:
# ls -l /nfs/wwwroot/cyberciti.biz/http
OR
# cd /nfs/wwwroot/cyberciti.biz/http
Sample outputs:
-bash: cd: /nfs/wwwroot/cyberciti.biz/http/: Permission denied
However, apache user is allowed to browse or access nfs based system mouted at /nfs/wwwroot/cyberciti.biz/http/:
# runuser -l apache -c 'ls -l /nfs/wwwroot/cyberciti.biz/http/'
OR
# runuser -l apache -c 'cd /nfs/wwwroot/cyberciti.biz/http/; vi index.php'
No password is required to use runuser command and it must be run by root user only.

Options

  1. The -l option : Make the shell a login shell, uses runuser-l PAM file instead of default one.
  2. The -g group : Specify the primary group.
  3. The -G group : Specify a supplemental group.
  4. The -c COMMAND : Pass a single COMMAND to the shell with -c.
  5. –session-command=COMMAND : Pass a single COMMAND to the shell with -c and do not create a new session.
  6. -m : Do not reset environment variables.

#2: su command

The su command allows you to become a super user or substitute user, spoof user, set user or switch user. It allows a Linux user to change the current user account associated with the running console or shell provided that you know the target user’s password. The syntax is as follows:
su -
su - username

Switching to root user

su command asks for the target user’s password. Type su – at your shell prompt to switch to root user account (you must know the root user account password):
vivek@wks01:~$ su -
OR
vivek@wks01:~$ su - root
Sample outputs:
Password: 
root@wks01:/root# logout
vivek@wks01:~$
If the correct root password is provided, ownership of the session is changed to root account. Type logout exit a root login shell. Type whoami or id command to verify the owner of a session:
whoami
OR
id

Run command as root user

The syntax is:
su - root -c "command"
OR
su - -c "command arg1"
To view the contents of /root directory which is not accessible to normal users, run:
su - root -c "ls -l /root"
Please note that Linix and some Unix-like systems have a wheel group of users, and only allow these users to su to root.

Run command as another user using su command

The following command switches to user oracle’s account and shows a list of limits:
$ su - oracle -c 'ulimit -aHS'
Again, if the correct oracle password is provided, ownership of the session is changed to oracle account. The log of su command is kept in a system log, typically in /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS).

#3: sudo command

sudo executes a command as another user but follows a set of rules about which users can execute which commands as which other users. This is configured in a filed named /etc/sudoers. Unlike su, sudo authenticates users against their own password rather than that of the target user. Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This allow the delegation of specific commands to specific users on specific hosts without sharing passwords among them. The syntax is as follows:
sudo command
See the following links for more information:

A note about GUI tools ( GUI frontend for su and sudo )

gksu command is a frontend to su and gksudo is a frontend to sudo. heir primary purpose is to run graphical commands that need root without the need to run an X terminal emulator and using su directly. The syntax is as follows:
gksu [-u <user>] [options] <command>
gksudo [-u <user>] [options] <command>
Just type gksu and you will be prompted as follows:
Linux gksu: Run Command As Root User Using Gnome GUI
Fig.01: gksu in action
You will be prompted for root user’s account password:
Gnome gksu Command
Fig.02: Gnome gksu authentication box for the target user
You can run command directly as follows:
gksu -u root 'ls /root'
OR run command as oracle user:
gksu -u oracle 'ulimit -aHS'
OR
OR login as root:
gksu -u root -l

Summary: runuser vs su vs sudo

CommandRoot to userUser to rootAny to any userAuth typeLog fileRemark
runuserYNNNoneN/AAs runuser doesn’t run auth and account PAM hooks, it runs with lower overhead than su.
suYYYTarget user’s password/var/log/auth.log or /var/log/secureYou must share your password or root password with other users.
sudoYYYAuthenticates users against their own password rather than that of the target user./var/log/auth.log or /var/log/secureAllows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands.
See man pages for more information about su, sudo, gksu, and gksudo commands.

Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

tomcat catalina coyote jasper cluster

By OK -
Tomcat Component are Catalina Coyote Jasper Cluster Catalina :  Catalina is the name of the servlet container of Apache Tomcat since version 4.x. Tomcat implements Sun Microsystems' specifications for servlet and JavaServer Pages (JSP), which are important Java-based Web technologies. Tomcat's servlet container was redesigned as Catalina in Tomcat version 4.x. other components of the Tomcat engine are: Tomcat Jasper which converts the code portions within JavaServer Pages into servlets and pass them to Catalina to process. Tomcat Coyote which is an HTTP connector based on HTTP/1.1 specifications that receives and transmits web requests to the Tomcat engine by listening to a TCP/IP port and returns requests back to the requesting client. Coyote :  The Coyote JK Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integr
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more