Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Execute commands as another user UNIX
In order to execute a command via another user, without knowing their password, you can use the "su" command to log into root and then their account.
% su - [enter root password]
% su bob
[robg adds: Further proof that root really can do everything ... and why you should be quite careful with it. Any comments from the UNIX experts?]
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[21,484 views]  

Execute commands as another user | 23 comments | Create New Account
Click here to return to the 'Execute commands as another user' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Execute commands as another user
Authored by: escowles on Feb 20, '03 10:42:16AM

You should really use sudo for this. Just type:

sudo -u username command

Not only is it easier, but it's also very customizable -- you can control which users can execute which programs as what users.

-Esme



[ Reply to This | # ]
Execute commands as another user
Authored by: morgion on Feb 20, '03 10:57:46AM

You can also use the following to become the root user (if you have sudo access and authorization to execute the command): sudo -s
It will then prompt you for your password; enter the one you use to login.

This next command is helpful if you want to run a series of commands as another user (after you are root, naturally): su username

This method is much safer than logging in as root; you don't even have to enalbe the root password. I've been using UNIX for years, and I haven't enabled the root password on any of my Macs without loosing any flexibility.



[ Reply to This | # ]
Execute commands as another user
Authored by: MasterUltan on Feb 20, '03 11:10:41AM

su bob will work just fine if all you want to do is change to another identity; you don't need to su to root first if you know that id's password. At the password prompt, just type "bob's" password.



[ Reply to This | # ]
Execute commands as another user
Authored by: tobyc on Feb 20, '03 11:41:25AM

This of course only works if you an administrator. You can't su to root or any other user if you are not an admin on the box.



[ Reply to This | # ]
Execute commands as another user
Authored by: mervTormel on Feb 20, '03 12:54:38PM

Only users in group "wheel'' (normally gid 0) or group "admin'' (normally gid 20) can su to "root''.



[ Reply to This | # ]
False
Authored by: MasterUltan on Feb 20, '03 09:04:33PM

The su command will work as ANY user, regardless of privilege. If I am logged in as "sam" and wish to execute commands as "joe", I type:

su joe

and then enter the password for the user "joe". No admin privileges necessary, just password knowledge.

I frequently use this command on UNIX-like machines to help friends or perform some tasks when they are logged into the machine. I often su to my account to access a file, for example.



[ Reply to This | # ]
Execute commands as another user
Authored by: ComputerX on Feb 20, '03 12:35:15PM

su stands for "substitute user identity".

This is exactly what the utilty is there for.

Most of the time you are changing to root, but you can change to any user (more or less.)

Dan

PS Try "man su" at a command line.



[ Reply to This | # ]
Use "sudo -u [username] [command]"
Authored by: Garin on Feb 20, '03 12:38:23PM

sudo -u [username] [command]

It's simpler to just use sudo. Then you don't need to enter the root password, and you don't need to know the user's password.



[ Reply to This | # ]
Haha.
Authored by: Garin on Feb 20, '03 12:41:20PM

I guess this was covered in the first reply. That'll teach me for starting a post, forgetting about it, and then submitting it a couple of hours later.

Anyways, sudo is your friend.

man sudo
man sudoers
man visudo

and you'll find a wealth of information on how to do all kinds of things with permissions. You can do some pretty cool things with sudo.



[ Reply to This | # ]
Execute commands as another user
Authored by: jnet on Feb 20, '03 01:07:21PM

Note, it is often preferred to execute the command this way:

su - username

The presence of the hyphen means "use the new user's environment"... otherwise the su command will not overwrite the old user's environment variables.

[ Reply to This | # ]

Why do people insist on having root enabled??
Authored by: daveschroeder on Feb 20, '03 01:30:12PM

Yet another hint that requires root to be enabled when, as has been pointed out by many others, sudo is what you want to be using!

root does NOT and should NOT, EVER, need to be enabled for 99.9% of all Mac OS X systems. (Yes, there are other enterprise/server/speciality environments where having root enabled for various reasons is appropriate and accepted; I'm NOT talking about those here.)

You can and should do EVERYTHING with sudo.

You can get a root shell with sudo. You can execute any command as any other user as sudo. You can BECOME other users with sudo.

Why do people insist on enabling and using root?

And for the lazy, if you really just refuse to learn any of sudo's capabilities, at a bare minimum, just use 'sudo su' - that right there gives you a root shell, where literally ANYTHING can be done, and is the exact functional equivalent of using 'su' and using root's password.

Repeat: you do NOT need root enabled; you do NOT need to be using 'su' by itself.

Reasons:

1. Getting into the habit of not having root enabled discourages unnecessary uses of root (like logging in as root via the gui), where much harm can be done. Say whatever you will; this is still a good practice.

2. You REALLY CAN do ANYTHING with sudo, just as conveniently. "It's more convenient/quicker/etc to just use su" is NOT a valid excuse, and is totally untrue: if you really need a full root shell, "sudo su" or "sudo -s" gets you one!

3. Having the root account enabled fundamentally exposes you to more exploit possibilities.

4. Encouraging people to use tools like sudo also encourages learning, and more responsible and wise use of the tools at our disposal.

sudo: learn it.

Rob, I'd actually consider removing this hint, or amending it to say something like "sudo su <user>", which accomplishes the same thing, or any number of the other alternate other suggestions that use sudo.



[ Reply to This | # ]
Quit yer Whining
Authored by: bmerlin on Feb 20, '03 02:23:17PM

You know, preaching to people on why not to use root is really pointless. If they want to use root, they will. It's really none of your concern.

You don't like using root? Fine. Don't. Screaming about it whenever someone else mentions using it doesn't help.



[ Reply to This | # ]
Quit yer Whining
Authored by: incongruity on Feb 20, '03 04:59:30PM
You don't like using root? Fine. Don't. Screaming about it whenever someone else mentions using it doesn't help.

Actually, it helped a lot; I didn't really think about some of the points he brought up. Inasmuch as this is a HINTS website, you know, a place where some of us come to learn things that we previously didn't know or hadn't figured out on our own about OS X (including the CLI/ UNIX'ish underpinnings of it, I think that the original poster's comments were infact very helpful. Yours, on the otherhand, was pure flamebait.

[ Reply to This | # ]

Quit yer Whining
Authored by: bidmead on Feb 20, '03 05:08:09PM

Not to mention the fact that sudo as a command can't properly be tailored to a particular system unless someone on the system has access to /etc/sudoers for editing -- ie, is root.

Any properly managed UNIX system needs root access. The trick is to confine root use only to managing the system, not as a general purpose user.

--
el bid



[ Reply to This | # ]
Quit yer Whining
Authored by: ashill on Feb 20, '03 06:39:07PM

Mac OS X is configured so that all administrators are placed in the admin (80) group, and the admin group is given sudo privileges in /etc/sudoers. Therefore, administrators can edit /etc/sudoers by "sudo visudo", and can create more groups and assign individual non-admin users or groups whatever sudo privileges they merit (none, by default). If an administrator removes the admin group's permission to edit the config file, root has to be enabled, but that's why you only give admin access to people you trust!

Mac OS X does not need root access to be properly managed because administrators have the privileges to temporarily become root (via sudo) to do anything that needs to be done, and this is without sharing one root password among (potentially) multiple administrators.

-Alex Hill



[ Reply to This | # ]
What about GUI commands?
Authored by: martinx on Feb 20, '03 05:13:07PM

I discovered this trick some time ago, but didn't find it useful because I
couldn't get any apps that run graphically to work.

For example, if I cd to /Applications/Calculator.app/Contents/MacOS and
run Calculator, I get:

kCGErrorIllegalArgument : initCGDisplayState: cannot map display
interlocks.
kCGErrorIllegalArgument : CGSNewConnection cannot get connection
port
INIT_Processeses(), could not establish the default connection to the
WindowServer.Abort


The same exact process works if I'm not su'ed to another user.

Am I missing something?



[ Reply to This | # ]
What about GUI commands?
Authored by: punkmanandy on Feb 20, '03 09:58:55PM

"open" will open the command on whatever users display it is executed under. if they arent logged in, they dont have a display. you can ssh in as the logged in user, and run open, and it will work.



[ Reply to This | # ]
What about GUI commands?
Authored by: schnarr on Feb 21, '03 01:51:58PM

This is similar to the way displays are handled on Xwindows with xhost set to -, only I don't think there's any way to allow all hosts to connect to OSX's display (I haven't seen one yet, at least). The purpose of xhosts on Xwindows systems is to allow other hosts to connect to and bring up windows on your display.

On an Xwindows system, typing 'xhost -' disables anyone else from sending a window to your display. If you've got X11 or XFree86 installed, try the following:
start X11
launch an xterm
xhost + (or xhost + [your machine/remote machine])
echo $DISPLAY
su - [some other user]
echo $DISPLAY
note that the display won't be set for this user, so you won't be able to launch any new Xwindows from here -
try one:
xterm
(error about Can't open display)
if using csh, tcsh, or zsh type
setenv DISPLAY [use value from DISPLAY above]
otherwise, type
export DISPLAY=[value from DISPLAY above]
xterm
the xterm is now be launched as the other user on your display.

btw, setting and leaving xhost + is a BAD IDEA, because anyone can send a window to your display, and it could look like another window you have open (tricking you into sending them information you don't want to send), or they could send you annoying pictures or ads (hey admin, Al's looking at porn again... no I'm no... - where the heck did that come from!?!).



[ Reply to This | # ]
What about GUI commands?
Authored by: discordantus on Feb 24, '03 09:40:29PM

The short answer is, no. Under Mac OS X, you can't launch an application as another user (other than root).



[ Reply to This | # ]
Execute commands as another user
Authored by: zeb on Feb 20, '03 05:20:39PM

Pardon my ignorance as I am very new to all this, but is there a way to change a user like this, and then perform tasks as that user in the Finder? (without loggin out) Or does this switch mentioned in this hint only apply for the Terminal session and to commands entered within the Terminal?

Let's say, for instance, I wanted to make a slight change in a file within the System Library, but can't unless I'm root (or I change the permissions for said file)... Can I enter a command in the Terminal to change my UID so I can go and make the change as "root", then enter another command to switch back to my UID?



[ Reply to This | # ]
Execute commands as another user
Authored by: pmccann on Feb 20, '03 09:25:49PM

Nope: you'll be root in the terminal if you execute a command such as

sudo -s

(this will be indicated with the "#" prompt), but changing your terminal identity this way doesn't affect the GUI: the critical windowing processes that are doing all the heavy lifting were started by the user who logged in via the GUI, and that's not going to change without a logout (or a change in the way that apple implements this stuff so that there can be multiple, swappable sessions on the go at the same time, with only one "visible").

Cheers,
Paul



[ Reply to This | # ]
Execute commands as another user
Authored by: schnarr on Feb 21, '03 12:32:31PM

I've used sudo and su a lot, and there are reasons for using one or the other.

By what you're saying, you want to edit a file you don't own, which you can do by using 'sudo command', where command is the command you want to do (with any required parameters).
Say I want to edit /etc/passwd (for some reason)
I would type
sudo vim /etc/passwd
[my normal password]
This file is opened for editing as root, but when I save it and exit, I'm back to being my normal user.
Additional sudo commands done within the next 5 minutes don't need a password (and the timer resets with each call, so if you edit a bunch of files within 5 minutes of each other you can potentially chain hours or days together), so as long as you keep doing sudos, you won't need to authenticate yourself each time. The 5 minute limit is to ensure you don't walk away from your keyboard and give someone else temporary root.

I almost never use sudo -s, unless I need to do a ton of actions as root (debugging an install, for instance). With sudo -s you're leaving a door open in your system. For the most part, it's not that dangerous if you're just doing it at home, but you never know when the feds are going to wiretap your home for all those napster downloads...

A few notes about 'su':
using su instead of sudo makes your effective user ID=root (euid) as well as your uid. This has implications if you're running programs that have the sticky bit set that do a setuid or setgid - er, in English, that's programs that run as a different user than the owner of them and the program itself runs some part of itself as a different user. The ONLY place I've ever used anything like this is in a Web perl-CGI that needed to be executed with root priveleges, but run as a specific user (specifically because I was remote logging into machines where I didn't have a root password).

using 'su' without the '-' uses the current user's shell and environment variables. This is handy if you want to figure out problems with another user's shell variables. I've used this FAR too much (usually because of slow logins due to stale remote mounts or someone putting Xwindows display settings in their .cshrc).

The su I'm describing above is always 'su username' though - you really never need 'su -' unless you need your effective user ID set.



[ Reply to This | # ]
Execute GUI commands as another user
Authored by: mj on Feb 21, '03 09:24:03PM

You can actually use GUI programs as root without logging out—it just involves restarting the program you want to use as root. So, on the rare occasion I need to use the Finder as root, I

osascript -e 'tell app "Finder" to quit'
sudo /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

If you look up the Finder's PID, you could also quit it with

sudo kill -HUP <finder_pid>

but I'm not sure if the Finder will quit cleanly that way. When you're done, you can quit the same way, and start the Finder as yourself as above without the sudo, or by clicking in the Dock.

My slight guesswork explanation as to why this works is that root, having access to everything, has access to your display interlocks (whatever those are), and so can use your display. I imagine that with the appropriate tweaking of groups and permissions that you could set up your computer to allow you to use your display as other users, too.

MJ



[ Reply to This | # ]