Running a program from the command line as a different user and/or group

[Trenix25]

I wrote this program decades ago, but it got lost when I moved so I recently wrote it again. Someone else may have written something similar since I first wrote it and added it to Linux. This is run. It allows root to run a program as a specific user and group from the command line which allows running a program with limited access rights. It can be very handy for use in shell scripts. This is a C program which has been renamed to use the .txt extension to allow it to be uploaded here. Make sure to rename it after downloading it. Look it over and tell me what you think.

Signed,

Matthew Campbell

 

[Trenix25]

Should I have uploaded this to Linux Command Line instead?

Signed,

Matthew Campbell

 

[exatonix]

mean file name must run.c?

 

[Trenix25]

mean file name must run.c?

root uses run on the command line to run a program as another user. Let's say you had a user named fred and Fred was in his own group. root would use run fred program to run a program named program. Adapt as needed. Make sure to compile it first as it is a C source code file, not an executable file.

Signed,

Matthew Campbell

 

[f33dm3bits]

Just curious how is your program different from using "sudo -u"

-u user, --user=user
Run the command as a user other than the default target user (usually root). The user may be either a user name or a numeric user-ID (UID) prefixed with the ‘#’ character (e.g., ‘#0’ for UID 0). When running commands as a
UID, many shells require that the ‘#’ be escaped with a backslash (‘\’). Some security policies may restrict UIDs to those listed in the password database. The sudoers policy allows UIDs that are not in the password database
as long as the targetpw option is not set. Other security policies may not support this.

 

[Trenix25]

Just curious how is your program different from using "sudo -u"

Can sudo -u run a command as a user that isn't allowed to log in? I tried using su to become such a user and it wouldn't let me. I haven't tried sudo that way so I don't know. run is intended to allow root to run commands as system users when they can't log in.

Signed,

Matthew Campbell

 

[dos2unix]

serviceuser ALL=(ALL) NOPASSWD: /usr/bin/uptime

sudo -u serviceuser /usr/bin/uptime

I'm not sure what you mean by "isn't allowed to login"? You mean like a service account with no /home directory?
It will still work as long as they have shell.

If you mean they can't login, because I don't want them to, and I redirected their account to /usr/sbin/nologin
and it still works, that seems like a security issue to me.

 

[Trenix25]

serviceuser ALL=(ALL) NOPASSWD: /usr/bin/uptime

sudo -u serviceuser /usr/bin/uptime

I'm not sure what you mean by "isn't allowed to login"? You mean like a service account with no /home directory?
It will still work as long as they have shell.

If you mean they can't login, because I don't want them to, and I redirected their account to /usr/sbin/nologin
and it still works, that seems like a security issue to me.

When an account has been disabled then it cannot log in. This means su doesn't work either. In order for serviceuser to be in the sudoers file it must also be in the sudo group with I consider to be a security threat. My program allows root to run any program that a specified user can run as that user without that user being included in any other groups other than its own. The user in question runs the web server and is extremely restricted. It has no special privileges, though the web server can bind to the lower port numbers. The web user is not in the priv group or the sudo group. The priv group, on my system, applies to local admin users that need access to setuid or setgid programs. A remote user cannot become a member of the priv group, or the mailsystem group. Only a local user account can be an admin account. Admin accounts cannot be logged into from a remote localtion. Only an admin account may be in the sudoers file, on my system, and in the sudo group. It's part of my security system. It is designed to prevent privilege escalation.

Also, I wrote run myself and it's free open source software. I don't personally have the source code for sudo, which may change after a system update. I trust my own software.

Signed,

Matthew Campbell

 

[dos2unix]

In order for serviceuser to be in the sudoers file it must also be in the sudo group

Not always true. This seems to be based on a distro by distro basis. But a user
that's not in any group at all can be in the sudoers file.

The other way service accounts get around this, is by using service groups.
For example, apache usually runs as apache or httpd, but they don't have a login shell.

 

[f33dm3bits]

Can sudo -u run a command as a user that isn't allowed to log in?

Yes.

[root@legion html]# grep apache /etc/passwd
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
[root@legion html]# sudo -u apache php occ files:scan --path=maarten
Starting scan for user 1 out of 1 (maarten)

 

[exatonix]

Not always true. This seems to be based on a distro by distro basis. But a user
that's not in any group at all can be in the sudoers file.

The other way service accounts get around this, is by using service groups.
For example, apache usually runs as apache or httpd, but they don't have a login shell.

yeah for example Ubuntu and kali have problem as a debian based. but debşan Official not problem like that. also I experienced in debian Official many terminal app with many gui (wayland, gnome,kde, plasma, xfce etc.) also thats all change for that. for example when we use xfce4 terminal is good for compatilibity and run smoothly well with sudo and give fast response and output. but terminator terminal app slow sown ... etc.