How to run program as another user - and permanently dropping current user privileges?

plug.org at 2nerds.com plug.org at 2nerds.com
Tue Mar 13 18:49:05 MDT 2007


On Tue, 13 Mar 2007, Kenneth Burgener wrote:
> I got around to trying this today, but when I run my program I get an
> error saying:
> 
>  [root at test ~]# su -l myuser -c "/usr/myapp/myprogram"
>  "This account is currently not available."

What are the reasons why sudo isn't the preferred alternative?

sudo doesn't require the target user to have a valid shell. sudo tries
to drop potentially dangerous environment variables before giving
control to the target command. sudo allows the issuer of the sudo
command to control which shell (if any) will be used to interpret the
given target command.  And sudo has a fairly sophisticated (if
complex) access control mechanism.  Finally, if you're worried about
at attacker escaping back to the privileged environment, I'd guess
that "exec sudo ..." would provide some comfort.  Sounds like a winner
to me, so I'm wondering why it's unsuitable.  (Did I miss something
obvious?)

Chris



More information about the PLUG mailing list