Run command as not-root
Hi everyone
At work, I have to run a command in an AWS instance. In that particular instance only exists the root user. The command should not be executed with root privileges (it executes mpirun, which is not recommended to run as sudo or the machine might break), so I was wondering if there is a way to block or disable the sudo privileges while the command is running. As mentioned, the only user existing there is root, so I suppose “sudo -u” is not an option.
Does anyone know how to do it? Thanks in advance!
Use root to create new user, then run app as new user.
@astray yeah, that could be an option, but if more users exist in that machine then other processes might fail as that instance is part of a bigger cluster that has several processes running. It might not be a big deal, but checking that may still need some work. I’d prefer a way to do it without creating new users, if it exists
There are no other users at all? Seems like a lot of stuff simply wouldn’t work without a single non-root user, not to mention this is a pretty bad security stance considering the only user is the most powerful one.
If you do have another user on the instance you can su as that other user, nobody for example, from the root account. Run ‘cat /etc/passwd’ and you will see every available user on the instance.
@astraeus yep, completely agree on the security issues, that is a mistake that should be fixed. But for the moment I confirmed that root is the only user, and every file and program in the instance can only be used by root (I just created a new user and tried to run the command with su -c but got a lot of permission denials and command not found)
If I could hide or disable my own sudo permissions that would save me a lot of work, but I’m starting to think that something like that doesn’t exist 🙁Unfortunately hiding sudo from root would lead to much greater issues. You can remove sudo privileges from a non-root user, but I don’t think there’s a feasible way to do so for root.
Does your new user have a proper shell setup? If you type bash in the new user’s terminal does it give you anything?
If everything on the machine is owned by root and does not provide global read or execute permissions then a new user would not be able to access it without being in the root group. Assuming the files have group permissions set at all anyways.
It’s nothing but root all the way down
The system is broken. Wipe it and start again. I could imagine a system with no configured root but root only is just a security nightmare and not worth using as a starting point.
I really hope that machine isn’t exposed to the internet…
In theory a root application can drop capabilities when it starts up and remain root pid, but it’s not that common… it’s used for certain system apps that require root to increase security. It is not a replacement for unprivileged users.
Forgot to mention that creating a new user brings a lot of problems because of how that machine is configured and all the tools that would need to be added the new user’s permission. In theory it would eventually work after some time working on it, but I’d like to know if there’s a way to do it without creating users (or if it’s impossible, so I can just go on with that only option)
@linuxThere’s no way to run a command as another user if that user is not created.
https://linux.die.net/man/1/runuser
Edit:sudo is also an option but I like runuser for your use-case
@Oisteink in another comment (https://social.vivaldi.net/users/nirogu/statuses/111342629815373353) I explained why I’d prefer not to create another user, as it would require a lot of work to configure everything again for that command to work (it’s a big process). I was thinking of hiding my sudo permissions from the program or something like that, if possible, because many things in the instance are only configured to be used with the root user, even if they don’t require sudo. Anyway, I’m seeing that it might not be possible so creating a new user could be the only option 🙁
Read your other post and it seems to me that a rebuild of the system to accommodate non-root users would be my preferred solution. Trying to “work around“ issues like this are prone to break as the system is updated/changed. And you’re back to trying to figure out what’s changed and makes your script break.
@Oisteink yep, that seems the right thing to do. Honestly, most of the real problem was lazyness to reconfigure everything, and that’s why I published the question. But now I’m convinced that that’s the only way lol
Thanks for the help!Laziness sparks innovation, and there could possibly be some other way to drop privileges. There’s loads of stuff I learn about Linux still - and my first install was summer 94
Keep at it!
You’re not wrong for trying to find another solution. Unfortunately, I think, in this case, your up against fundamental Linux permissions. One possibility would be running the work in a container with reduced capabilities but, it really is going to depend on what behaviors you’re trying to avoid.
Overall, it’s likely a better idea to re-install because noone should be running stuff directly as root in the majority of production scenarios.
Linux privilege only understands user id’s and group id’s. These are mapped through /etc/passwd and /etc/groups. You will see in passwd that the root user has UID 0. Any account you create with UID 0 will have root privileges. So running the command specifying any user with UID!=0 will run without those privileges.
It’s also possible to set user on execution with setuid - but that won’t work on scripts only binary executables.
https://en.wikipedia.org/wiki/Setuid
The easiest way to create a new user
Are you certain this isn’t a docker container you’ve logged into?
@ursakhiin honestly, didn’t consider it. Just checked and the “docker” command doesn’t even exist so I assume that is not the case. Do you know if the is any other way I can be certain?
Well, the docker command wouldn’t exist inside of a container. You could use uname to check the system info.
How is it you don’t know this information about a system you’ve connected to?
@ursakhiin honestly, I didn’t even know an aws instance could be a docker image. Everything I did was creating the instance normally so I assumed it was just a regular vm. But already double checked and it is not a docker image, so no problem there 🙂
It’s not that an Amazon instance can be a docker container. It was more that the behavior you are describing is extremely odd for a full Linux environment but normal for a docker container.
If you created the instance, it isn’t likely a container. But it also sounds like the base image might be poorly set up
@ursakhiin oh ok, I misunderstood the docker part
Yeah, instance configuration is the real problem here. Already fixing it 👌