Picture this scenario. You are managing a Linux server that is accessed by multiple users. All users have sudo
rights. You want to test certain Linux commands with different users. How would you do that? Log in as one user and test the commands, and then log out and log back in as another user and test commands? Yes, It is one way to do it. However, there is a simple way to run commands as another user via sudo in Linux. Read on to find out.
For the purpose of this guide, I have created two user accounts namely "senthil" and "kumar" in my AlmaLinux 8 test machine. I am going to use "senthil" as current user and "kumar" as the target user.
I want the user "senthil" to be able to run any command as user "kumar" on any hosts, without actually logging in as "kumar". Understood? Well, let me show you an example.
Table of Contents
Run Commands As Another User Via Sudo
I currently logged in as user "senthil". Let me show you the currently logged in user with whoami
command.
$ whoami senthil
Now I am going to run a simple "echo
" command with sudo
as the target user "kumar" while logged in as "senthil":
$ sudo -u kumar bash -c 'echo "My Username is $USER, and my user ID is $UID"'
You will be prompted to enter the password of current user (i.e. "senthil" in this case). Once authenticated, the echo
command will be run as user "kumar" and display the username and user id of the "kumar".
Sample output:
[sudo] password for senthil: My Username is kumar, and my user ID is 1001
What we actually just did is we executed the "echo
" command as user "kumar" while we logged in as "senthil". This is why you see the username and user id of kumar, but not senthil's.
Let us verify if the uid of the user "kumar" is correct with id
command.
$ id kumar uid=1001(kumar) gid=1001(kumar) groups=1001(kumar),10(wheel)
Yes, the uid of kumar is correct in both outputs.
Here, the -u
flag is used to run the given command as another user (i.e. kumar in this case) and bash -c
is used to mention the name of the command. You should mention the command within single quote.
If you don't use bash -c
option, the echo
command will return the username and uid of the current user instead of the target user.
$ sudo -u kumar echo "My Username is $USER, and my user ID is $UID"
My Username is senthil, and my user ID is 1000
Similarly, you can run any commands as different user.
Please note that in our previous example command, I didn't enter sudo
password for the target user. Why? Because, the echo
command doesn't require sudo
password.
If you run a command that requires sudo
permission as another user, you must enter the password. Here is another example.
$ sudo -u kumar bash -c 'sudo dnf --refresh update'
Sample output:
[sudo] password for senthil: [sudo] password for kumar: AlmaLinux 8 - BaseOS 344 B/s | 4.3 kB 00:12 AlmaLinux 8 - AppStream 388 B/s | 4.7 kB 00:12 AlmaLinux 8 - Extras 316 B/s | 3.9 kB 00:12 Dependencies resolved. Nothing to do. Complete!
Did you notice that I entered sudo
password for both users? Yes. Because, we run "sudo dnf update
", which requires elevated privileges. That's why it is required to enter the sudo
password for the target user. For normal commands e.g. ls
, uname
etc., we don't need to enter the target user's password.
Not just Linux commands, you can apply this method to run scripts as well. Let us say you want to run backup script that is saved in the $HOME
directory of another user. You can simply run the script from the current user as other user by using this command:
$ sudo -u kumar bash -c '~/backup_script_name'
Run Commands Without Sudo Password
Disclaimer: You should be very careful while applying this method. This method can be used for both productive and destructive purposes. Say for example, if you allow users to execute 'rm'
command without sudo
password, they could accidentally or intentionally delete important files. Don't do this unless it is absolutely necessary.
Sometimes, you might be in a situation where you don't want to enter the sudo password for every commands. In such cases, you can skip the password prompt for specific commands by adding NOPASSWD
option in /etc/sudoers
file.
Let us say you want to allow a certain users to run any dnf command without sudo password. To do so, first find the path of the dnf
command using which
or whereis
commands.
$ which dnf /usr/bin/dnf
$ whereis dnf dnf: /usr/bin/dnf /etc/dnf /usr/share/man/man8/dnf.8.gz
As you can see, the executable path of dnf
command is /usr/bin/dnf
.
Now, edit /etc/sudoers
files using command:
$ sudo visudo
Heads Up: Please note that you should not manually edit the sudoers
file using any text editor. Always use visudo
command to safely edit the sudoers
file.
Add the following line at the end the file to allow the user called "kumar" to run dnf
commands without sudo password.
kumar ALL=NOPASSWD:/usr/bin/dnf
Save the file and exit.
From now on, the user "kumar" can able to run dnf
commands without sudo
password.
[senthil@Almalinux8CT ~]$ sudo -u kumar bash -c 'sudo dnf --refresh update' [sudo] password for senthil: AlmaLinux 8 - BaseOS 358 B/s | 4.3 kB 00:12 AlmaLinux 8 - AppStream 324 B/s | 4.7 kB 00:14 AlmaLinux 8 - Extras 302 B/s | 3.9 kB 00:13 Dependencies resolved. Nothing to do. Complete!
See? We don't need to enter sudo
password for "kumar".
To revoke this behavior, simply remove the previously added line from the sudoers file.
Conclusion
In this brief tutorial, we discussed how to allow users to run commands as another user via sudo in Linux. We also learned how to disable sudo password prompt for certain users when running specific command(s) by modifying sudoers
file.
As I warned, you must be careful while testing this method on a production system. You may unknowingly allow a user to run a harmful command (e.g. rm
) without having to enter sudo password. You should always be careful while testing these kind of Linux tips.