Run command as not-root
Hi everyone
At work, I have to run a command in an AWS instance. In that particular instance only exists the root user. The command should not be executed with root privileges (it executes mpirun, which is not recommended to run as sudo or the machine might break), so I was wondering if there is a way to block or disable the sudo privileges while the command is running. As mentioned, the only user existing there is root, so I suppose “sudo -u” is not an option.
Does anyone know how to do it? Thanks in advance!
Use root to create new user, then run app as new user.
@astray yeah, that could be an option, but if more users exist in that machine then other processes might fail as that instance is part of a bigger cluster that has several processes running. It might not be a big deal, but checking that may still need some work. I’d prefer a way to do it without creating new users, if it exists
If a different user doesn’t exist then you obviously can’t run the command as that different user. The only solution here is to create a new user account.
Also your image is improperly configured which is something you should fix first.
@elscallr I agree about the instance configuration, fixing that is the real solution
My question was not about running something as another user, but about hiding the superadmin privileges from a single command I’d execute without switching users. However it is clear that something like that doesn’t exist so I’ll do the right thing and set everything to work with a new user
You probably want to run the command as nobody, the special system user who daemons become when they don’t want to have root permissions.
There are no other users at all? Seems like a lot of stuff simply wouldn’t work without a single non-root user, not to mention this is a pretty bad security stance considering the only user is the most powerful one.
If you do have another user on the instance you can su as that other user, nobody for example, from the root account. Run ‘cat /etc/passwd’ and you will see every available user on the instance.
@astraeus yep, completely agree on the security issues, that is a mistake that should be fixed. But for the moment I confirmed that root is the only user, and every file and program in the instance can only be used by root (I just created a new user and tried to run the command with su -c but got a lot of permission denials and command not found)
If I could hide or disable my own sudo permissions that would save me a lot of work, but I’m starting to think that something like that doesn’t exist 🙁
Unfortunately hiding sudo from root would lead to much greater issues. You can remove sudo privileges from a non-root user, but I don’t think there’s a feasible way to do so for root.
Does your new user have a proper shell setup? If you type bash in the new user’s terminal does it give you anything?
If everything on the machine is owned by root and does not provide global read or execute permissions then a new user would not be able to access it without being in the root group. Assuming the files have group permissions set at all anyways.
The system is broken. Wipe it and start again. I could imagine a system with no configured root but root only is just a security nightmare and not worth using as a starting point.
I really hope that machine isn’t exposed to the internet…
In theory a root application can drop capabilities when it starts up and remain root pid, but it’s not that common… it’s used for certain system apps that require root to increase security. It is not a replacement for unprivileged users.
The easiest way to create a new user
