LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-27-2010, 01:11 PM   #1
arashi256
Member
 
Registered: Jan 2008
Location: Brighton, UK
Distribution: Ubuntu 12.04 / CentOS 6.5
Posts: 394

Rep: Reputation: 61
Running program as user with no shell


Hi all,

I have a program I want to run as it's own user. But I don't want anyone to be able to login as that user, so I created a user like: -

useradd -s /sbin/nologin someuser

How do I run a specific program owned by this user as this user? I can't su to this user as it doesn't have a shell.

Thanks.
 
Old 05-27-2010, 01:17 PM   #2
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
How about setting the program you want to run as this user as its login shell? That way, when the user logs in, the program would be run and when the program finishes the user would be logged out.
 
Old 05-27-2010, 01:18 PM   #3
arashi256
Member
 
Registered: Jan 2008
Location: Brighton, UK
Distribution: Ubuntu 12.04 / CentOS 6.5
Posts: 394

Original Poster
Rep: Reputation: 61
Because I don't want to do that? Presumably this is possible, else there wouldn't be so many users in /etc/passwd with no login shell that seem to run system processes.
 
Old 05-27-2010, 02:17 PM   #4
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,147

Rep: Reputation: 887Reputation: 887Reputation: 887Reputation: 887Reputation: 887Reputation: 887Reputation: 887
i think its something like:
su - <user> -c '/path/to/command'
 
Old 05-27-2010, 02:22 PM   #5
arashi256
Member
 
Registered: Jan 2008
Location: Brighton, UK
Distribution: Ubuntu 12.04 / CentOS 6.5
Posts: 394

Original Poster
Rep: Reputation: 61
Thanks, but that doesn't work either. I get: -

# su - someuser --command=/path/to/command/prog &
This account is currently not available.
#
 
Old 05-27-2010, 02:42 PM   #6
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,397
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Does the user 'someuser' have a password?
--- rod.
 
Old 05-27-2010, 02:45 PM   #7
arashi256
Member
 
Registered: Jan 2008
Location: Brighton, UK
Distribution: Ubuntu 12.04 / CentOS 6.5
Posts: 394

Original Poster
Rep: Reputation: 61
No, if you've no login shell, why would you need one? I can set one if you think it'll help.
 
Old 05-27-2010, 11:57 PM   #8
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 676

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by arashi256 View Post
Hi all,

I have a program I want to run as it's own user. But I don't want anyone to be able to login as that user, so I created a user like: -

useradd -s /sbin/nologin someuser

How do I run a specific program owned by this user as this user? I can't su to this user as it doesn't have a shell.

Thanks.
Make this program SUID this user. i.e
Code:
chown someuser your_program
chmod 4555 your_program
 
1 members found this post helpful.
Old 05-28-2010, 01:13 AM   #9
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Quote:
Originally Posted by arashi256 View Post
Because I don't want to do that? Presumably this is possible, else there wouldn't be so many users in /etc/passwd with no login shell that seem to run system processes.
That's true and I do not understand how it is done. I wondered if it was using suid executables and wrote the following script to investigate but found it is not done that way
Code:
#!/bin/bash

# Quick and dirty to:
# * Find "no logon" users
# * Find processes running as them
# * Find associated program file perms

# Set typical system user $PATH
export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# Get "no logon" users
while IFS=: read user_name _ _ _ _ _ command_interpreter
do
    case $command_interpreter in
        /bin/false )
            no_logon_users="$no_logon_users $user_name"
            ;;
    esac
done < /etc/passwd

# For each "no logon" user
for user_name in $no_logon_users
do
    ps_out=$( ps -u $user_name -o command --no-headers )
    if [[ $ps_out = '' ]]; then
        echo "No commands being run as $user_name"
    else
        echo "Commands being run as $user_name:"
        while read command rest
        do
            echo "$command $rest"
            if [[ ! $command =~ ^/ ]]; then
                command="$( type -p $command )"
            fi
            if [[ $command = '' ]]; then
                echo 'Program file for command not found'
            else
                ls -l "$command"
            fi
        done <<< "$ps_out"
    fi
done
For what it is worth here is the output on my Slackware 13.0 system
Code:
Commands being run as bin:
/sbin/rpc.portmap
-rwxr-xr-x 1 root root 36600 2007-05-18 04:23 /sbin/rpc.portmap
Commands being run as daemon:
/usr/sbin/atd -b 15 -l 1
-rwxr-xr-x 1 root root 14504 2006-08-03 06:25 /usr/sbin/atd
No commands being run as adm
No commands being run as lp
No commands being run as mail
No commands being run as news
No commands being run as uucp
No commands being run as games
No commands being run as ftp
Commands being run as smmsp:
sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue
Program file for command not found
Commands being run as mysql:
/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysql/mysql.pid --skip-external-locking --port=3306 --socket=/var/run/mysql/mysql.sock --skip-networking
-rwxr-xr-x 1 root root 5734260 2009-08-04 09:41 /usr/libexec/mysqld
No commands being run as rpc
No commands being run as sshd
No commands being run as oprofile
No commands being run as apache
Commands being run as messagebus:
/usr/bin/dbus-daemon --system
-rwxr-xr-x 1 root root 289660 2009-06-09 10:30 /usr/bin/dbus-daemon
Commands being run as haldaemon:
/usr/sbin/hald --daemon=yes
-rwxr-xr-x 1 root root 307688 2009-08-01 11:02 /usr/sbin/hald
hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
Program file for command not found
No commands being run as pop
Commands being run as nobody:
/sbin/rpc.statd
-rwxr-xr-x 1 root root 54428 2008-10-26 00:51 /sbin/rpc.statd
/usr/sbin/dnsmasq
-rwxr-xr-x 1 root root 152192 2009-07-01 11:08 /usr/sbin/dnsmasq
All of the above are started from boot scripts and hence by root. Picking dnsmasq as an example the boot script simply runs /usr/sbin/dnsmasq, that is with no su. The dnsmasq man page includes "-d, --no-daemon Debug mode: don't fork to the background, don't write a pid file, don't change user id, ..." so it is the executable itself that is changing uid.

There was a thread on LQ recently in which a knowledgeable member (sorry -- can't remember who and can't find the thread) stated that the su command will not work unless the target user has a valid logon shell. That understanding was supported by the symptoms that other users posted. There is no reference to it in the su man page which does however say "CAVEATS This version of su has many compilation options, only some of which may be in use at any particular site". The /etc/shells file may be significant. The shells man page says "Be aware that there are programs which consult this file to find out if a user is a normal user. E.g.: ftp daemons traditionally disallow access to users with shells not included in this file".

EDIT:

Perhaps the su command is restricted by /etc/shells but the setuid(2) system call does not. That is consistent with what we know so far.

@arashi256: can you alter your program to call setuid(2) or similar?

Last edited by catkin; 05-28-2010 at 01:23 AM. Reason: clarity and formatting
 
1 members found this post helpful.
Old 05-28-2010, 04:37 AM   #10
arashi256
Member
 
Registered: Jan 2008
Location: Brighton, UK
Distribution: Ubuntu 12.04 / CentOS 6.5
Posts: 394

Original Poster
Rep: Reputation: 61
Quote:
Originally Posted by Valery Reznic View Post
Make this program SUID this user. i.e
Code:
chown someuser your_program
chmod 4555 your_program
Thanks - that worked fine
 
Old 05-28-2010, 04:39 AM   #11
arashi256
Member
 
Registered: Jan 2008
Location: Brighton, UK
Distribution: Ubuntu 12.04 / CentOS 6.5
Posts: 394

Original Poster
Rep: Reputation: 61
Quote:
Originally Posted by catkin View Post
That's true and I do not understand how it is done. I wondered if it was using suid executables and wrote the following script to investigate but found it is not done that way
Code:
#!/bin/bash

# Quick and dirty to:
# * Find "no logon" users
# * Find processes running as them
# * Find associated program file perms

# Set typical system user $PATH
export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# Get "no logon" users
while IFS=: read user_name _ _ _ _ _ command_interpreter
do
    case $command_interpreter in
        /bin/false )
            no_logon_users="$no_logon_users $user_name"
            ;;
    esac
done < /etc/passwd

# For each "no logon" user
for user_name in $no_logon_users
do
    ps_out=$( ps -u $user_name -o command --no-headers )
    if [[ $ps_out = '' ]]; then
        echo "No commands being run as $user_name"
    else
        echo "Commands being run as $user_name:"
        while read command rest
        do
            echo "$command $rest"
            if [[ ! $command =~ ^/ ]]; then
                command="$( type -p $command )"
            fi
            if [[ $command = '' ]]; then
                echo 'Program file for command not found'
            else
                ls -l "$command"
            fi
        done <<< "$ps_out"
    fi
done
For what it is worth here is the output on my Slackware 13.0 system
Code:
Commands being run as bin:
/sbin/rpc.portmap
-rwxr-xr-x 1 root root 36600 2007-05-18 04:23 /sbin/rpc.portmap
Commands being run as daemon:
/usr/sbin/atd -b 15 -l 1
-rwxr-xr-x 1 root root 14504 2006-08-03 06:25 /usr/sbin/atd
No commands being run as adm
No commands being run as lp
No commands being run as mail
No commands being run as news
No commands being run as uucp
No commands being run as games
No commands being run as ftp
Commands being run as smmsp:
sendmail: Queue runner@00:25:00 for /var/spool/clientmqueue
Program file for command not found
Commands being run as mysql:
/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysql/mysql.pid --skip-external-locking --port=3306 --socket=/var/run/mysql/mysql.sock --skip-networking
-rwxr-xr-x 1 root root 5734260 2009-08-04 09:41 /usr/libexec/mysqld
No commands being run as rpc
No commands being run as sshd
No commands being run as oprofile
No commands being run as apache
Commands being run as messagebus:
/usr/bin/dbus-daemon --system
-rwxr-xr-x 1 root root 289660 2009-06-09 10:30 /usr/bin/dbus-daemon
Commands being run as haldaemon:
/usr/sbin/hald --daemon=yes
-rwxr-xr-x 1 root root 307688 2009-08-01 11:02 /usr/sbin/hald
hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
Program file for command not found
No commands being run as pop
Commands being run as nobody:
/sbin/rpc.statd
-rwxr-xr-x 1 root root 54428 2008-10-26 00:51 /sbin/rpc.statd
/usr/sbin/dnsmasq
-rwxr-xr-x 1 root root 152192 2009-07-01 11:08 /usr/sbin/dnsmasq
All of the above are started from boot scripts and hence by root. Picking dnsmasq as an example the boot script simply runs /usr/sbin/dnsmasq, that is with no su. The dnsmasq man page includes "-d, --no-daemon Debug mode: don't fork to the background, don't write a pid file, don't change user id, ..." so it is the executable itself that is changing uid.

There was a thread on LQ recently in which a knowledgeable member (sorry -- can't remember who and can't find the thread) stated that the su command will not work unless the target user has a valid logon shell. That understanding was supported by the symptoms that other users posted. There is no reference to it in the su man page which does however say "CAVEATS This version of su has many compilation options, only some of which may be in use at any particular site". The /etc/shells file may be significant. The shells man page says "Be aware that there are programs which consult this file to find out if a user is a normal user. E.g.: ftp daemons traditionally disallow access to users with shells not included in this file".

EDIT:

Perhaps the su command is restricted by /etc/shells but the setuid(2) system call does not. That is consistent with what we know so far.

@arashi256: can you alter your program to call setuid(2) or similar?
I've solved it now - see above. Someone else told me that su relies on an active shell for that user. As for the rest, nice script - going to run it on my Fedora server and see what I get. Worth looking into really. I don't understand that part of Linux very well.
 
Old 05-28-2010, 07:50 AM   #12
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 676

Rep: Reputation: 136Reputation: 136
Quote:
Originally Posted by arashi256 View Post
Thanks - that worked fine
You are welcome
 
Old 05-29-2010, 12:54 AM   #13
alan99
Member
 
Registered: Mar 2010
Distribution: Debian
Posts: 180

Rep: Reputation: 31
You can run a user process without anyone being able to log into a shell. I created a user 'nobody' and locked the password so nobody could use the login shell. (I did this to give anonymous users access to the printer)
 
1 members found this post helpful.
Old 05-29-2010, 02:08 AM   #14
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Quote:
Originally Posted by alan99 View Post
You can run a user process without anyone being able to log into a shell. I created a user 'nobody' and locked the password so nobody could use the login shell. (I did this to give anonymous users access to the printer)
Did you configure "nobody" with a shell that is listed in /etc/shells ?
 
Old 05-30-2010, 04:31 PM   #15
alan99
Member
 
Registered: Mar 2010
Distribution: Debian
Posts: 180

Rep: Reputation: 31
Yes, it is configured for shell use, but does not allow a home directory.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Running a program from the shell followed by '&' SPearson Linux - Newbie 8 07-07-2009 09:31 PM
running a shell script which invokes another shell program!!! raghu123 Programming 1 08-04-2008 09:10 AM
running a C program from shell script jkeertir Linux - Newbie 3 05-19-2008 05:05 AM
Running shell script within a C or C++ program Quantum0726 Programming 2 06-15-2005 09:14 PM
running a program from shell script Suinatsa Programming 10 04-14-2005 11:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration