Run command as not-root

Hi everyone

At work, I have to run a command in an AWS instance. In that particular instance only exists the root user. The command should not be executed with root privileges (it executes mpirun, which is not recommended to run as sudo or the machine might break), so I was wondering if there is a way to block or disable the sudo privileges while the command is running. As mentioned, the only user existing there is root, so I suppose “sudo -u” is not an option.

Does anyone know how to do it? Thanks in advance!

@linux

    • Nicolas Rojas
      cake
      OP
      link
      fedilink
      21 year ago

      @astray yeah, that could be an option, but if more users exist in that machine then other processes might fail as that instance is part of a bigger cluster that has several processes running. It might not be a big deal, but checking that may still need some work. I’d prefer a way to do it without creating new users, if it exists

      • @elscallr
        link
        71 year ago

        If a different user doesn’t exist then you obviously can’t run the command as that different user. The only solution here is to create a new user account.

        Also your image is improperly configured which is something you should fix first.

        • Nicolas Rojas
          cake
          OP
          link
          fedilink
          21 year ago

          @elscallr I agree about the instance configuration, fixing that is the real solution
          My question was not about running something as another user, but about hiding the superadmin privileges from a single command I’d execute without switching users. However it is clear that something like that doesn’t exist so I’ll do the right thing and set everything to work with a new user

          • @elscallr
            link
            21 year ago

            You’ll thank yourself for it later. Things like this take a little longer up front but putting them off has a way of making you have to work around it again and again until, when you get around to correcting it, it takes far more time to undo the workarounds than it would’ve taken to correct it the first time.

  • @[email protected]
    link
    fedilink
    221 year ago

    You probably want to run the command as nobody, the special system user who daemons become when they don’t want to have root permissions.

  • @[email protected]
    link
    fedilink
    101 year ago

    The system is broken. Wipe it and start again. I could imagine a system with no configured root but root only is just a security nightmare and not worth using as a starting point.

    I really hope that machine isn’t exposed to the internet…

    In theory a root application can drop capabilities when it starts up and remain root pid, but it’s not that common… it’s used for certain system apps that require root to increase security. It is not a replacement for unprivileged users.

  • astraeus
    link
    fedilink
    91 year ago

    There are no other users at all? Seems like a lot of stuff simply wouldn’t work without a single non-root user, not to mention this is a pretty bad security stance considering the only user is the most powerful one.

    If you do have another user on the instance you can su as that other user, nobody for example, from the root account. Run ‘cat /etc/passwd’ and you will see every available user on the instance.

    • Nicolas Rojas
      cake
      OP
      link
      fedilink
      11 year ago

      @astraeus yep, completely agree on the security issues, that is a mistake that should be fixed. But for the moment I confirmed that root is the only user, and every file and program in the instance can only be used by root (I just created a new user and tried to run the command with su -c but got a lot of permission denials and command not found)
      If I could hide or disable my own sudo permissions that would save me a lot of work, but I’m starting to think that something like that doesn’t exist 🙁

      • astraeus
        link
        fedilink
        41 year ago

        Unfortunately hiding sudo from root would lead to much greater issues. You can remove sudo privileges from a non-root user, but I don’t think there’s a feasible way to do so for root.

        Does your new user have a proper shell setup? If you type bash in the new user’s terminal does it give you anything?

      • @elscallr
        link
        31 year ago

        I don’t think you understand what root is. By definition it has those permissions because it’s root.

  • Nicolas Rojas
    cake
    OP
    link
    fedilink
    31 year ago

    Forgot to mention that creating a new user brings a lot of problems because of how that machine is configured and all the tools that would need to be added the new user’s permission. In theory it would eventually work after some time working on it, but I’d like to know if there’s a way to do it without creating users (or if it’s impossible, so I can just go on with that only option)
    @linux

    • Rustmilian
      link
      6
      edit-2
      1 year ago

      You can run commands as the new user from the root account.
      su -c 'command' username
      Enter the password for the new user when prompted.
      This way at least the main account is still root and the command is being run without root privileges on the new users account.

      • Nicolas Rojas
        cake
        OP
        link
        fedilink
        11 year ago

        @Rustmilian yeah, already tried it. The problem is that all of the apps in the instance are only installed for the root user (e.g. python and all it’s libraries. So, when I use su -c all I get is a lot of command not found messages that would take a lot to solve. Besides I expect a lot more problems when the command needs access to some files and some processes (like a sql database) that would require me to do a lot of stuff to grant permissions to the new user. That would eventually work but given the work it requires I thought that some kind of “anti sudo” command or something like that could exist so I can still be the root user but pretend I am not a superadmin

        • Rustmilian
          link
          1
          edit-2
          1 year ago

          There’s a source that says something about using the AWS Systems Manager Session Manager by ““Configuring the necessary IAM permissions for your user or role to access the instance using Session Manager 1
          Open the AWS Systems Manager console, navigate to the “Session Manager” page, and select the instance you want to access
          Click on the “Start session” button to initiate the session with the instance.
          Once the session is established, you can run commands as the root user without the need for sudo””
          I’m unsure if this achieves exactly what you need though.

          • Nicolas Rojas
            cake
            OP
            link
            fedilink
            11 year ago

            @Rustmilian Just did that and that is exactly what I needed, but in this case it didn’t work. In this page https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html they explain that what the manager does is creating another root account in the instance, and that new account is the one that can disable its own permissions. So, I ended up with the same problem of having to configure everything for the new user. However I’m done with the laziness and I’m gonna do it lol, everyone else pointed out that not having a regular user is a security issue and they are right. If I had configured the instance from the beginning with the SSM, I could have skipped all that work, but the reality is that I have to do it
            After I’m done configuring everything, I think I’ll set up the rest of the instances to work with the SSM so that I don’t have to go through all that again
            Thanks for the help!

      • Nicolas Rojas
        cake
        OP
        link
        fedilink
        -11 year ago

        @Oisteink in another comment (https://social.vivaldi.net/users/nirogu/statuses/111342629815373353) I explained why I’d prefer not to create another user, as it would require a lot of work to configure everything again for that command to work (it’s a big process). I was thinking of hiding my sudo permissions from the program or something like that, if possible, because many things in the instance are only configured to be used with the root user, even if they don’t require sudo. Anyway, I’m seeing that it might not be possible so creating a new user could be the only option 🙁

        • @[email protected]
          link
          fedilink
          41 year ago

          Read your other post and it seems to me that a rebuild of the system to accommodate non-root users would be my preferred solution. Trying to “work around“ issues like this are prone to break as the system is updated/changed. And you’re back to trying to figure out what’s changed and makes your script break.

          • Nicolas Rojas
            cake
            OP
            link
            fedilink
            11 year ago

            @Oisteink yep, that seems the right thing to do. Honestly, most of the real problem was lazyness to reconfigure everything, and that’s why I published the question. But now I’m convinced that that’s the only way lol
            Thanks for the help!

            • @[email protected]
              link
              fedilink
              31 year ago

              Laziness sparks innovation, and there could possibly be some other way to drop privileges. There’s loads of stuff I learn about Linux still - and my first install was summer 94

              Keep at it!

            • nickwitha_k (he/him)
              link
              fedilink
              11 year ago

              You’re not wrong for trying to find another solution. Unfortunately, I think, in this case, your up against fundamental Linux permissions. One possibility would be running the work in a container with reduced capabilities but, it really is going to depend on what behaviors you’re trying to avoid.

              Overall, it’s likely a better idea to re-install because noone should be running stuff directly as root in the majority of production scenarios.

        • @[email protected]
          link
          fedilink
          2
          edit-2
          1 year ago

          Linux privilege only understands user id’s and group id’s. These are mapped through /etc/passwd and /etc/groups. You will see in passwd that the root user has UID 0. Any account you create with UID 0 will have root privileges. So running the command specifying any user with UID!=0 will run without those privileges.

          It’s also possible to set user on execution with setuid - but that won’t work on scripts only binary executables.

          https://en.wikipedia.org/wiki/Setuid

          https://en.wikipedia.org/wiki/User_identifier

          https://en.wikipedia.org/wiki/Group_identifier