NAME

runas - switch to a new user and group id for a single command


SYNOPSIS

runas [ environment flag ] [ option flags ] [ user[.group] ] command


DESCRIPTION

This documentation is no longer being maintained and may be inaccurate or incomplete. The texinfo documentation is now the authoritative source.

runas allows a system administrator to run a process as any user on the system, including the super-user. Furthermore, every command that is executed is sent to syslogd(8) along with the command arguments, date, time, host, tty, user name and group name the command was run as.

This enables systems with multiple administrators to keep an easy track of who has made system modifications (thus enabling finger pointing instead of just head shaking when something goes wrong). Furthermore, it provides a secure way for system administrators to quickly run commands as root (and other users) without the need for typing in passwords.


ENVIRONMENT FLAGS

--preserve
The current shell environment is inherited by the process run by runas with two minor changes: (1) $PATH has a secure PATH prepended to it. (2) $SHELL is set to /bin/false when command is not a restricted shell (as defined in /etc/shells), otherwise it is set to the absolute path of command.

--sanitize
The current shell environment is replaced with a minimal environment before command is run. The environment consists of:

$HOME (value of passwd entry [pw_dir] for user)

$LOGNAME (value of passwd entry [pw_name] for user)

$PATH (replaced by the secure PATH).

$SHLVL (inherited).

$TERM (inherited).

$SHELL is set to /bin/false when command is not a restricted shell, otherwise it is set to the absolute filepath of command.

$USER (value of passwd entry [pw_name] for user)

Additionally, if command is a restricted shell, then a chdir($HOME) is done as well. --sanitize is the default behavior for access control file users and is not changeable at runtime for ACF dependent users.

--login
As --sanitize, but if the command run is a restricted shell, then the shell is run as a login shell (see each shell man page for effects of running a shell as a login shell).


OPTION FLAGS

--access
Displays commands available to a user to run via runas and exits. If the user can run any file as any user or group, information regarding which users can run any command as any user or group are displayed. Additionally, all commands in the access control file runas.access are displayed.

--help
Displays usage information and exits.

--info
Displays detailed compile-time configuration information and exits. This information is a suitable starting place for a bug report.

--version
Displays the version release and date and exits.

--which
Displays the fullpath of the command that is run based on the value of $PATH and modified by the compile-time values of SECURE_PATH, EXEC_ONLY_ADMIN_OWNED_SHELLS, IGNORE_SYMLINKS and IGNORE_PREFIX_IN_PATH and the run-time options --preserve, --sanitize and --login. When --which is specified, command is not run and runas usage is not syslogged.


ARGUMENTS

user
Specifies the user login id or uid to run the command as. If the user does not exist, an error message is displayed. If no id is given, the default is root.

group
Specifies the group name or gid to run the command as. If the group does not exist, an error message is displayed. If no id is given, the default is the current group. If the user specified is the default (root) then the process is run with a gid of ROOT_GID if it was defined at compile time.

command
Specifies the file to execute. If a relative or absolute path is not given, then the first executable file in the modified $PATH that matches command will be run.


ENVIRONMENT

The value of the SHELL variable is replaced by ``/bin/false'' which tends to prevent users from using a loophole in pagers (like less) and editors (like emacs) and shelling out to a root shell without the activity being logged.


SECURITY

If selected at compile time, a 'secure' path is prepended to the administrator's current path, thus ensuring that certain directories are searched before others (to prevent those adminitrators with ``.'' and other insecure directories in their path from inadventently running a trojan command).

Additionally, the absoulte name of the command is expanded before it is executed so no guessing is needed to determine which command was run. Due to this feature, built-in shell commands cannot be directly run using runas.


BUGS

When SHELL is set to /bin/false (see ENVIRONMENT), gdb will not behave well when run via runas, producing the error message ``You can't do that without a process to debug''. To remedy this limitation, first start a shell as the user to debug as with runas and then start gdb.


LIMITATIONS

Even on those systems that support them, runas does not support signed (ie, negative) uid or gid values from the command line. If a signed entry in the passwd or group files is created and used, runas will incorrectly report the usage of that entry (as id values are promoted to a long unsigned value.)


AUTHORS

The current source is unrecognizable compared to the original, but credit for the original concept is given to Dan Smith, somewhere in the midwest United States in 1984. Over the years, the code has been beaten, flogged, and hacked to death by numerous people with roots to the Old Dominion University Computer Science Systems Group. The current version of runas consists of code written by Chris Carpinello .


SEE ALSO

syslogd(8), execve(3), runas.access(5)