How to run program as another user - and permanently dropping current user privileges?

Jonathan Duncan jonathan at bluesunhosting.com
Tue Mar 13 17:03:00 MDT 2007


On Tue, 13 Mar 2007, Kenneth Burgener wrote:

> I got around to trying this today, but when I run my program I get an
> error saying:
>
> [root at test ~]# su -l myuser -c "/usr/myapp/myprogram"
> "This account is currently not available."
>
> Originally I created this user in /etc/passwd as follows:
>
> myuser:x:500:500::/tmp:/sbin/nologin
>
> When I changed the shell parameter to:
>
> myuser:x:500:500::/tmp:/bin/bash
>
> I was able to run the fine, and it showed up in the 'ps' list as running
> as myuser:
>
> # ps aux
> ...
> myuser  2470 0.0 0.0 5956 372 ? Ss 16:36 0:00 /usr/myapp/myprogram
>
> and all files created by 'myprogram' are created as the 'myuser'
> program, which is what I wanted.  But I wonder if having the 'myuser'
> with a default shell (and no password) would be a security hole, and
> possibly allow someone to SSH to my box using this user account.  I
> noticed all other daemon users have "/sbin/nologin" as their default
> shell, and I assume they do this for a reason.
>
> Should I be concerned with this?
>

Yes, be very concerned.

What was the IP of that machine again?  ;)



More information about the PLUG mailing list