this post was submitted on 02 Nov 2023
33 points (90.2% liked)
Linux
47356 readers
1173 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Forgot to mention that creating a new user brings a lot of problems because of how that machine is configured and all the tools that would need to be added the new user's permission. In theory it would eventually work after some time working on it, but I'd like to know if there's a way to do it without creating users (or if it's impossible, so I can just go on with that only option)
@linux
You can run commands as the new user from the root account.
su -c 'command' usernameEnter the password for the new user when prompted.
This way at least the main account is still root and the command is being run without root privileges on the new users account.
@Rustmilian yeah, already tried it. The problem is that all of the apps in the instance are only installed for the root user (e.g. python and all it's libraries. So, when I use su -c all I get is a lot of command not found messages that would take a lot to solve. Besides I expect a lot more problems when the command needs access to some files and some processes (like a sql database) that would require me to do a lot of stuff to grant permissions to the new user. That would eventually work but given the work it requires I thought that some kind of "anti sudo" command or something like that could exist so I can still be the root user but pretend I am not a superadmin
There's a source that says something about using the AWS Systems Manager Session Manager by ""Configuring the necessary IAM permissions for your user or role to access the instance using Session Manager 1
Open the AWS Systems Manager console, navigate to the "Session Manager" page, and select the instance you want to access
Click on the "Start session" button to initiate the session with the instance.
Once the session is established, you can run commands as the root user without the need for sudo""
I'm unsure if this achieves exactly what you need though.
There’s no way to run a command as another user if that user is not created.
https://linux.die.net/man/1/runuser
Edit:sudo is also an option but I like runuser for your use-case
@Oisteink in another comment (https://social.vivaldi.net/users/nirogu/statuses/111342629815373353) I explained why I'd prefer not to create another user, as it would require a lot of work to configure everything again for that command to work (it's a big process). I was thinking of hiding my sudo permissions from the program or something like that, if possible, because many things in the instance are only configured to be used with the root user, even if they don't require sudo. Anyway, I'm seeing that it might not be possible so creating a new user could be the only option 🙁
Read your other post and it seems to me that a rebuild of the system to accommodate non-root users would be my preferred solution. Trying to “work around“ issues like this are prone to break as the system is updated/changed. And you’re back to trying to figure out what’s changed and makes your script break.
@Oisteink yep, that seems the right thing to do. Honestly, most of the real problem was lazyness to reconfigure everything, and that's why I published the question. But now I'm convinced that that's the only way lol
Thanks for the help!
Laziness sparks innovation, and there could possibly be some other way to drop privileges. There’s loads of stuff I learn about Linux still - and my first install was summer 94
Keep at it!
You're not wrong for trying to find another solution. Unfortunately, I think, in this case, your up against fundamental Linux permissions. One possibility would be running the work in a container with reduced capabilities but, it really is going to depend on what behaviors you're trying to avoid.
Overall, it's likely a better idea to re-install because noone should be running stuff directly as root in the majority of production scenarios.
Linux privilege only understands user id’s and group id’s. These are mapped through /etc/passwd and /etc/groups. You will see in passwd that the root user has UID 0. Any account you create with UID 0 will have root privileges. So running the command specifying any user with UID!=0 will run without those privileges.
It’s also possible to set user on execution with setuid - but that won’t work on scripts only binary executables.
https://en.wikipedia.org/wiki/Setuid
https://en.wikipedia.org/wiki/User_identifier
https://en.wikipedia.org/wiki/Group_identifier