runas - switch to a new user and group id for a single command
runas
[ environment flag ] [ option flags ] [ user[.group] ]
command
This documentation is no longer being maintained and may be inaccurate or
incomplete. The texinfo documentation is now the authoritative source.
runas allows a system administrator to run a process as any user on the system,
including the super-user. Furthermore, every command that is executed is
sent to syslogd(8)
along with the command arguments, date,
time, host, tty, user name and group name the command was run as.
This enables systems with multiple administrators to keep an easy track of
who has made system modifications (thus enabling finger pointing instead of
just head shaking when something goes wrong). Furthermore, it provides a
secure way for system administrators to quickly run commands as root (and
other users) without the need for typing in passwords.
- --preserve
-
The current shell environment is inherited by the process run by runas with
two minor changes: (1)
$PATH
has a secure PATH prepended to
it. (2) $SHELL
is set to /bin/false when command is not a restricted shell (as defined in /etc/shells), otherwise it is set
to the absolute path of command.
- --sanitize
-
The current shell environment is replaced with a minimal environment before command is run. The environment consists of:
$HOME
(value of passwd entry [pw_dir] for user)
$LOGNAME
(value of passwd entry [pw_name] for user)
$PATH
(replaced by the secure PATH).
$SHLVL
(inherited).
$TERM
(inherited).
$SHELL
is set to /bin/false when command is not a restricted shell, otherwise it is set to the absolute filepath of command.
$USER
(value of passwd entry [pw_name] for user)
Additionally, if command is a restricted shell, then a chdir($HOME)
is done as well.
--sanitize is the default behavior for access control file users and is not
changeable at runtime for ACF dependent users.
- --login
-
As --sanitize, but if the command run is a restricted shell, then the shell is run as a login shell (see each
shell man page for effects of running a shell as a login shell).
- --access
-
Displays commands available to a user to run via runas and exits. If the user can run any file as any user or group, information
regarding which users can run any command as any user or group are
displayed. Additionally, all commands in the access control file
runas.access are displayed.
- --help
-
Displays usage information and exits.
- --info
-
Displays detailed compile-time configuration information and exits. This
information is a suitable starting place for a bug report.
- --version
-
Displays the version release and date and exits.
- --which
-
Displays the fullpath of the command that is run based on the value of
$PATH
and modified by the
compile-time values of SECURE_PATH, EXEC_ONLY_ADMIN_OWNED_SHELLS,
IGNORE_SYMLINKS and IGNORE_PREFIX_IN_PATH and the run-time options
--preserve, --sanitize and --login. When --which is specified, command is not run and runas usage is not syslogged.
- user
-
Specifies the user login id or uid to run the command as. If the user does not exist, an error message is displayed. If no id is
given, the default is root.
- group
-
Specifies the group name or gid to run the command as. If the group does not exist, an error message is displayed. If no id is
given, the default is the current group. If the user specified is the
default (root) then the process is run with a gid of ROOT_GID if it was
defined at compile time.
- command
-
Specifies the file to execute. If a relative or absolute path is not given,
then the first executable file in the modified
$PATH
that
matches command will be run.
The value of the SHELL variable is replaced by ``/bin/false'' which tends
to prevent users from using a loophole in pagers (like less) and editors
(like emacs) and shelling out to a root shell without the activity being
logged.
If selected at compile time, a 'secure' path is prepended to the
administrator's current path, thus ensuring that certain directories are
searched before others (to prevent those adminitrators with ``.'' and other
insecure directories in their path from inadventently running a trojan command).
Additionally, the absoulte name of the command is expanded before it is executed so no guessing is needed to determine
which command was run. Due to this feature, built-in shell commands cannot
be directly run using runas.
When SHELL is set to /bin/false (see ENVIRONMENT), gdb will not behave well
when run via runas, producing the error message ``You can't do that without
a process to debug''. To remedy this limitation, first start a shell as the
user to debug as with runas and then start gdb.
Even on those systems that support them, runas does not support signed (ie,
negative) uid or gid values from the command line. If a signed entry in the
passwd or group files is created and used, runas will incorrectly report
the usage of that entry (as id values are promoted to a long unsigned
value.)
The current source is unrecognizable compared to the original, but credit
for the original concept is given to Dan Smith, somewhere in the midwest
United States in 1984. Over the years, the code has been beaten, flogged,
and hacked to death by numerous people with roots to the Old Dominion
University Computer Science Systems Group. The current version of runas consists of code written by Chris Carpinello .
syslogd(8),
execve(3),
runas.access(5)