How can I run a process as its owner or become its owner without logging in? [closed]
Clash Royale CLAN TAG#URR8PPP
According to https://unix.stackexchange.com/a/489913/674
cron jobs can run as any user, without that user being logged in.
root doesn’t need to log in to start the init process, thankfully (imagine handling a fleet of thousands of servers and millions of VMs otherwise);
If I want to run a process, with me as its owner, without logging in, how can I do that at both system/library call level and utility level?
If root
wants to do that, how can it do it?
How can a service user which can't log in start a process as its owner or become its owner later?
Is the only way to call setuid()
or seteuid()
in the program run by the process?
Thanks.
linux process ownership
closed as unclear what you're asking by muru, Stephen Harris, Jeff Schaller, RalfFriedl, DarkHeart Dec 19 at 22:20
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
|
show 14 more comments
According to https://unix.stackexchange.com/a/489913/674
cron jobs can run as any user, without that user being logged in.
root doesn’t need to log in to start the init process, thankfully (imagine handling a fleet of thousands of servers and millions of VMs otherwise);
If I want to run a process, with me as its owner, without logging in, how can I do that at both system/library call level and utility level?
If root
wants to do that, how can it do it?
How can a service user which can't log in start a process as its owner or become its owner later?
Is the only way to call setuid()
or seteuid()
in the program run by the process?
Thanks.
linux process ownership
closed as unclear what you're asking by muru, Stephen Harris, Jeff Schaller, RalfFriedl, DarkHeart Dec 19 at 22:20
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
2
I do not understand the point of the question. Where is the complication or novelty of a user setting up his own crontab?
– Rui F Ribeiro
Dec 19 at 13:49
1
crontab -u user -e
– RubberStamp
Dec 19 at 13:53
1
A process doesn't have an owner until it's started, so that part of the question should be reworded, I think.
– Jeff Schaller
Dec 19 at 13:53
2
Possible duplicate of su options - running command as another user
– muru
Dec 19 at 13:56
>If I want to run a process ~as~ and become its owner without logging in .... The question is now a completely different topic.
– RubberStamp
Dec 19 at 13:59
|
show 14 more comments
According to https://unix.stackexchange.com/a/489913/674
cron jobs can run as any user, without that user being logged in.
root doesn’t need to log in to start the init process, thankfully (imagine handling a fleet of thousands of servers and millions of VMs otherwise);
If I want to run a process, with me as its owner, without logging in, how can I do that at both system/library call level and utility level?
If root
wants to do that, how can it do it?
How can a service user which can't log in start a process as its owner or become its owner later?
Is the only way to call setuid()
or seteuid()
in the program run by the process?
Thanks.
linux process ownership
According to https://unix.stackexchange.com/a/489913/674
cron jobs can run as any user, without that user being logged in.
root doesn’t need to log in to start the init process, thankfully (imagine handling a fleet of thousands of servers and millions of VMs otherwise);
If I want to run a process, with me as its owner, without logging in, how can I do that at both system/library call level and utility level?
If root
wants to do that, how can it do it?
How can a service user which can't log in start a process as its owner or become its owner later?
Is the only way to call setuid()
or seteuid()
in the program run by the process?
Thanks.
linux process ownership
linux process ownership
edited Dec 19 at 17:31
ctrl-alt-delor
10.8k41957
10.8k41957
asked Dec 19 at 13:45
Tim
26k74246455
26k74246455
closed as unclear what you're asking by muru, Stephen Harris, Jeff Schaller, RalfFriedl, DarkHeart Dec 19 at 22:20
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as unclear what you're asking by muru, Stephen Harris, Jeff Schaller, RalfFriedl, DarkHeart Dec 19 at 22:20
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
2
I do not understand the point of the question. Where is the complication or novelty of a user setting up his own crontab?
– Rui F Ribeiro
Dec 19 at 13:49
1
crontab -u user -e
– RubberStamp
Dec 19 at 13:53
1
A process doesn't have an owner until it's started, so that part of the question should be reworded, I think.
– Jeff Schaller
Dec 19 at 13:53
2
Possible duplicate of su options - running command as another user
– muru
Dec 19 at 13:56
>If I want to run a process ~as~ and become its owner without logging in .... The question is now a completely different topic.
– RubberStamp
Dec 19 at 13:59
|
show 14 more comments
2
I do not understand the point of the question. Where is the complication or novelty of a user setting up his own crontab?
– Rui F Ribeiro
Dec 19 at 13:49
1
crontab -u user -e
– RubberStamp
Dec 19 at 13:53
1
A process doesn't have an owner until it's started, so that part of the question should be reworded, I think.
– Jeff Schaller
Dec 19 at 13:53
2
Possible duplicate of su options - running command as another user
– muru
Dec 19 at 13:56
>If I want to run a process ~as~ and become its owner without logging in .... The question is now a completely different topic.
– RubberStamp
Dec 19 at 13:59
2
2
I do not understand the point of the question. Where is the complication or novelty of a user setting up his own crontab?
– Rui F Ribeiro
Dec 19 at 13:49
I do not understand the point of the question. Where is the complication or novelty of a user setting up his own crontab?
– Rui F Ribeiro
Dec 19 at 13:49
1
1
crontab -u user -e
– RubberStamp
Dec 19 at 13:53
crontab -u user -e
– RubberStamp
Dec 19 at 13:53
1
1
A process doesn't have an owner until it's started, so that part of the question should be reworded, I think.
– Jeff Schaller
Dec 19 at 13:53
A process doesn't have an owner until it's started, so that part of the question should be reworded, I think.
– Jeff Schaller
Dec 19 at 13:53
2
2
Possible duplicate of su options - running command as another user
– muru
Dec 19 at 13:56
Possible duplicate of su options - running command as another user
– muru
Dec 19 at 13:56
>If I want to run a process ~as~ and become its owner without logging in .... The question is now a completely different topic.
– RubberStamp
Dec 19 at 13:59
>If I want to run a process ~as~ and become its owner without logging in .... The question is now a completely different topic.
– RubberStamp
Dec 19 at 13:59
|
show 14 more comments
1 Answer
1
active
oldest
votes
There are 3 ways to change user of a process in Unix.
2 system level ways to change user of a process
- if the process has capability CAP_SETUID, traditionally root has this capability (and all other capabilities), then it can use
setuid
,setreuid
,setresuid
,setfsuid
, system calls, to change to any other user. Any other user can shuffle uids: A process has 3 uids, it can move them around, at will: it can swap them, or remove them until it is down to one. It can not adduids
, unless it has capability CAP_SETUID. In general a process can only loose privileges or move them around, using these system calls. These calls allow the program to continue. exec
asuid
executable: If an executable file has itssuid
bit set, and if it is of a valid type (not a scripts, not java, not …), then when it is run, its effective user id is changed to that of the files owner. (same can be done for group withsgid
bit). This is the only way to gain privileges. The current program ends whenexec
is called, it is replaced with the new program, but it is the same process, it also inherits open files (e.g. stdin, stdout, stderr).
fork
dose not change user.
A forked process is an exact duplicate of its parent, with a few exceptions (see man fork
). In particular the uid, gid, and capabilities are not changed.
Utility methods
These programs use the 2 system methods described above.
- use
sudo
orsu
:su
will ask for the password of the other user.sudo
will ask for your password, but will only work if you are registered in thesudoers
file.
sudo
, su
, login
, cron
etc use the 2 system methods. (And will create a new process. The other system methods do not create a new process.)
What does sudo
, su
do?
#↳ ll /usr/bin/sudo
-rwsr-xr-x 1 root root 155K Sep 9 2017 /usr/bin/sudo*
As use can see the sudo
executable is owned by root, and has the suid bit set (the s
, where you would expect to see the first x
).
When sudo
is run, it runs as root (don't try this, unless you know what you are doing). It then does security checks. Then it uses set??uid
to become the required user, it then exec
s (and maybe a fork) the required program.
Running a process, without logging in
Use some timed start service.
- cron
- at
Send a network message, e.g. a web-server may run a task in response to a web request.
Use automated login: use ssh
to launch a process, via a script on another machine.
Thanks. Would like to know more about how "Send a network message, e.g. a web-server may run a task in response to a web request" starts a new process with a different user?
– Tim
Dec 20 at 4:05
I believe root process can drop this capability, I know it's nit-picking, but I think it would be better without mentioning "root has this", after all, capability set in indepent from process UIDs, right?
– 炸鱼薯条德里克
Dec 20 at 4:41
3
@Tim Your (later) edits to the answer are confusing. First of all, a process can never be "not running". Secondly, the wholeRunning a process, without logging in, means changing the user of a running process, without invoking the login program. (?)
reads like a question that should have been a comment.
– Kusalananda
Dec 20 at 7:28
@Tim additionally,login
isn’t often involved when logging in; for example, logging in using a display manager, or connecting with SSH, doesn’t involvelogin
.
– Stephen Kitt
Dec 20 at 8:41
I reverted @Tims edits, and then incorporated the bits that were useful: changed layout of answer, so it maps better to the question. (there were many bits that were incorrect or misleading).
– ctrl-alt-delor
Dec 20 at 19:47
|
show 2 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are 3 ways to change user of a process in Unix.
2 system level ways to change user of a process
- if the process has capability CAP_SETUID, traditionally root has this capability (and all other capabilities), then it can use
setuid
,setreuid
,setresuid
,setfsuid
, system calls, to change to any other user. Any other user can shuffle uids: A process has 3 uids, it can move them around, at will: it can swap them, or remove them until it is down to one. It can not adduids
, unless it has capability CAP_SETUID. In general a process can only loose privileges or move them around, using these system calls. These calls allow the program to continue. exec
asuid
executable: If an executable file has itssuid
bit set, and if it is of a valid type (not a scripts, not java, not …), then when it is run, its effective user id is changed to that of the files owner. (same can be done for group withsgid
bit). This is the only way to gain privileges. The current program ends whenexec
is called, it is replaced with the new program, but it is the same process, it also inherits open files (e.g. stdin, stdout, stderr).
fork
dose not change user.
A forked process is an exact duplicate of its parent, with a few exceptions (see man fork
). In particular the uid, gid, and capabilities are not changed.
Utility methods
These programs use the 2 system methods described above.
- use
sudo
orsu
:su
will ask for the password of the other user.sudo
will ask for your password, but will only work if you are registered in thesudoers
file.
sudo
, su
, login
, cron
etc use the 2 system methods. (And will create a new process. The other system methods do not create a new process.)
What does sudo
, su
do?
#↳ ll /usr/bin/sudo
-rwsr-xr-x 1 root root 155K Sep 9 2017 /usr/bin/sudo*
As use can see the sudo
executable is owned by root, and has the suid bit set (the s
, where you would expect to see the first x
).
When sudo
is run, it runs as root (don't try this, unless you know what you are doing). It then does security checks. Then it uses set??uid
to become the required user, it then exec
s (and maybe a fork) the required program.
Running a process, without logging in
Use some timed start service.
- cron
- at
Send a network message, e.g. a web-server may run a task in response to a web request.
Use automated login: use ssh
to launch a process, via a script on another machine.
Thanks. Would like to know more about how "Send a network message, e.g. a web-server may run a task in response to a web request" starts a new process with a different user?
– Tim
Dec 20 at 4:05
I believe root process can drop this capability, I know it's nit-picking, but I think it would be better without mentioning "root has this", after all, capability set in indepent from process UIDs, right?
– 炸鱼薯条德里克
Dec 20 at 4:41
3
@Tim Your (later) edits to the answer are confusing. First of all, a process can never be "not running". Secondly, the wholeRunning a process, without logging in, means changing the user of a running process, without invoking the login program. (?)
reads like a question that should have been a comment.
– Kusalananda
Dec 20 at 7:28
@Tim additionally,login
isn’t often involved when logging in; for example, logging in using a display manager, or connecting with SSH, doesn’t involvelogin
.
– Stephen Kitt
Dec 20 at 8:41
I reverted @Tims edits, and then incorporated the bits that were useful: changed layout of answer, so it maps better to the question. (there were many bits that were incorrect or misleading).
– ctrl-alt-delor
Dec 20 at 19:47
|
show 2 more comments
There are 3 ways to change user of a process in Unix.
2 system level ways to change user of a process
- if the process has capability CAP_SETUID, traditionally root has this capability (and all other capabilities), then it can use
setuid
,setreuid
,setresuid
,setfsuid
, system calls, to change to any other user. Any other user can shuffle uids: A process has 3 uids, it can move them around, at will: it can swap them, or remove them until it is down to one. It can not adduids
, unless it has capability CAP_SETUID. In general a process can only loose privileges or move them around, using these system calls. These calls allow the program to continue. exec
asuid
executable: If an executable file has itssuid
bit set, and if it is of a valid type (not a scripts, not java, not …), then when it is run, its effective user id is changed to that of the files owner. (same can be done for group withsgid
bit). This is the only way to gain privileges. The current program ends whenexec
is called, it is replaced with the new program, but it is the same process, it also inherits open files (e.g. stdin, stdout, stderr).
fork
dose not change user.
A forked process is an exact duplicate of its parent, with a few exceptions (see man fork
). In particular the uid, gid, and capabilities are not changed.
Utility methods
These programs use the 2 system methods described above.
- use
sudo
orsu
:su
will ask for the password of the other user.sudo
will ask for your password, but will only work if you are registered in thesudoers
file.
sudo
, su
, login
, cron
etc use the 2 system methods. (And will create a new process. The other system methods do not create a new process.)
What does sudo
, su
do?
#↳ ll /usr/bin/sudo
-rwsr-xr-x 1 root root 155K Sep 9 2017 /usr/bin/sudo*
As use can see the sudo
executable is owned by root, and has the suid bit set (the s
, where you would expect to see the first x
).
When sudo
is run, it runs as root (don't try this, unless you know what you are doing). It then does security checks. Then it uses set??uid
to become the required user, it then exec
s (and maybe a fork) the required program.
Running a process, without logging in
Use some timed start service.
- cron
- at
Send a network message, e.g. a web-server may run a task in response to a web request.
Use automated login: use ssh
to launch a process, via a script on another machine.
Thanks. Would like to know more about how "Send a network message, e.g. a web-server may run a task in response to a web request" starts a new process with a different user?
– Tim
Dec 20 at 4:05
I believe root process can drop this capability, I know it's nit-picking, but I think it would be better without mentioning "root has this", after all, capability set in indepent from process UIDs, right?
– 炸鱼薯条德里克
Dec 20 at 4:41
3
@Tim Your (later) edits to the answer are confusing. First of all, a process can never be "not running". Secondly, the wholeRunning a process, without logging in, means changing the user of a running process, without invoking the login program. (?)
reads like a question that should have been a comment.
– Kusalananda
Dec 20 at 7:28
@Tim additionally,login
isn’t often involved when logging in; for example, logging in using a display manager, or connecting with SSH, doesn’t involvelogin
.
– Stephen Kitt
Dec 20 at 8:41
I reverted @Tims edits, and then incorporated the bits that were useful: changed layout of answer, so it maps better to the question. (there were many bits that were incorrect or misleading).
– ctrl-alt-delor
Dec 20 at 19:47
|
show 2 more comments
There are 3 ways to change user of a process in Unix.
2 system level ways to change user of a process
- if the process has capability CAP_SETUID, traditionally root has this capability (and all other capabilities), then it can use
setuid
,setreuid
,setresuid
,setfsuid
, system calls, to change to any other user. Any other user can shuffle uids: A process has 3 uids, it can move them around, at will: it can swap them, or remove them until it is down to one. It can not adduids
, unless it has capability CAP_SETUID. In general a process can only loose privileges or move them around, using these system calls. These calls allow the program to continue. exec
asuid
executable: If an executable file has itssuid
bit set, and if it is of a valid type (not a scripts, not java, not …), then when it is run, its effective user id is changed to that of the files owner. (same can be done for group withsgid
bit). This is the only way to gain privileges. The current program ends whenexec
is called, it is replaced with the new program, but it is the same process, it also inherits open files (e.g. stdin, stdout, stderr).
fork
dose not change user.
A forked process is an exact duplicate of its parent, with a few exceptions (see man fork
). In particular the uid, gid, and capabilities are not changed.
Utility methods
These programs use the 2 system methods described above.
- use
sudo
orsu
:su
will ask for the password of the other user.sudo
will ask for your password, but will only work if you are registered in thesudoers
file.
sudo
, su
, login
, cron
etc use the 2 system methods. (And will create a new process. The other system methods do not create a new process.)
What does sudo
, su
do?
#↳ ll /usr/bin/sudo
-rwsr-xr-x 1 root root 155K Sep 9 2017 /usr/bin/sudo*
As use can see the sudo
executable is owned by root, and has the suid bit set (the s
, where you would expect to see the first x
).
When sudo
is run, it runs as root (don't try this, unless you know what you are doing). It then does security checks. Then it uses set??uid
to become the required user, it then exec
s (and maybe a fork) the required program.
Running a process, without logging in
Use some timed start service.
- cron
- at
Send a network message, e.g. a web-server may run a task in response to a web request.
Use automated login: use ssh
to launch a process, via a script on another machine.
There are 3 ways to change user of a process in Unix.
2 system level ways to change user of a process
- if the process has capability CAP_SETUID, traditionally root has this capability (and all other capabilities), then it can use
setuid
,setreuid
,setresuid
,setfsuid
, system calls, to change to any other user. Any other user can shuffle uids: A process has 3 uids, it can move them around, at will: it can swap them, or remove them until it is down to one. It can not adduids
, unless it has capability CAP_SETUID. In general a process can only loose privileges or move them around, using these system calls. These calls allow the program to continue. exec
asuid
executable: If an executable file has itssuid
bit set, and if it is of a valid type (not a scripts, not java, not …), then when it is run, its effective user id is changed to that of the files owner. (same can be done for group withsgid
bit). This is the only way to gain privileges. The current program ends whenexec
is called, it is replaced with the new program, but it is the same process, it also inherits open files (e.g. stdin, stdout, stderr).
fork
dose not change user.
A forked process is an exact duplicate of its parent, with a few exceptions (see man fork
). In particular the uid, gid, and capabilities are not changed.
Utility methods
These programs use the 2 system methods described above.
- use
sudo
orsu
:su
will ask for the password of the other user.sudo
will ask for your password, but will only work if you are registered in thesudoers
file.
sudo
, su
, login
, cron
etc use the 2 system methods. (And will create a new process. The other system methods do not create a new process.)
What does sudo
, su
do?
#↳ ll /usr/bin/sudo
-rwsr-xr-x 1 root root 155K Sep 9 2017 /usr/bin/sudo*
As use can see the sudo
executable is owned by root, and has the suid bit set (the s
, where you would expect to see the first x
).
When sudo
is run, it runs as root (don't try this, unless you know what you are doing). It then does security checks. Then it uses set??uid
to become the required user, it then exec
s (and maybe a fork) the required program.
Running a process, without logging in
Use some timed start service.
- cron
- at
Send a network message, e.g. a web-server may run a task in response to a web request.
Use automated login: use ssh
to launch a process, via a script on another machine.
edited Dec 21 at 20:10
answered Dec 19 at 17:06
ctrl-alt-delor
10.8k41957
10.8k41957
Thanks. Would like to know more about how "Send a network message, e.g. a web-server may run a task in response to a web request" starts a new process with a different user?
– Tim
Dec 20 at 4:05
I believe root process can drop this capability, I know it's nit-picking, but I think it would be better without mentioning "root has this", after all, capability set in indepent from process UIDs, right?
– 炸鱼薯条德里克
Dec 20 at 4:41
3
@Tim Your (later) edits to the answer are confusing. First of all, a process can never be "not running". Secondly, the wholeRunning a process, without logging in, means changing the user of a running process, without invoking the login program. (?)
reads like a question that should have been a comment.
– Kusalananda
Dec 20 at 7:28
@Tim additionally,login
isn’t often involved when logging in; for example, logging in using a display manager, or connecting with SSH, doesn’t involvelogin
.
– Stephen Kitt
Dec 20 at 8:41
I reverted @Tims edits, and then incorporated the bits that were useful: changed layout of answer, so it maps better to the question. (there were many bits that were incorrect or misleading).
– ctrl-alt-delor
Dec 20 at 19:47
|
show 2 more comments
Thanks. Would like to know more about how "Send a network message, e.g. a web-server may run a task in response to a web request" starts a new process with a different user?
– Tim
Dec 20 at 4:05
I believe root process can drop this capability, I know it's nit-picking, but I think it would be better without mentioning "root has this", after all, capability set in indepent from process UIDs, right?
– 炸鱼薯条德里克
Dec 20 at 4:41
3
@Tim Your (later) edits to the answer are confusing. First of all, a process can never be "not running". Secondly, the wholeRunning a process, without logging in, means changing the user of a running process, without invoking the login program. (?)
reads like a question that should have been a comment.
– Kusalananda
Dec 20 at 7:28
@Tim additionally,login
isn’t often involved when logging in; for example, logging in using a display manager, or connecting with SSH, doesn’t involvelogin
.
– Stephen Kitt
Dec 20 at 8:41
I reverted @Tims edits, and then incorporated the bits that were useful: changed layout of answer, so it maps better to the question. (there were many bits that were incorrect or misleading).
– ctrl-alt-delor
Dec 20 at 19:47
Thanks. Would like to know more about how "Send a network message, e.g. a web-server may run a task in response to a web request" starts a new process with a different user?
– Tim
Dec 20 at 4:05
Thanks. Would like to know more about how "Send a network message, e.g. a web-server may run a task in response to a web request" starts a new process with a different user?
– Tim
Dec 20 at 4:05
I believe root process can drop this capability, I know it's nit-picking, but I think it would be better without mentioning "root has this", after all, capability set in indepent from process UIDs, right?
– 炸鱼薯条德里克
Dec 20 at 4:41
I believe root process can drop this capability, I know it's nit-picking, but I think it would be better without mentioning "root has this", after all, capability set in indepent from process UIDs, right?
– 炸鱼薯条德里克
Dec 20 at 4:41
3
3
@Tim Your (later) edits to the answer are confusing. First of all, a process can never be "not running". Secondly, the whole
Running a process, without logging in, means changing the user of a running process, without invoking the login program. (?)
reads like a question that should have been a comment.– Kusalananda
Dec 20 at 7:28
@Tim Your (later) edits to the answer are confusing. First of all, a process can never be "not running". Secondly, the whole
Running a process, without logging in, means changing the user of a running process, without invoking the login program. (?)
reads like a question that should have been a comment.– Kusalananda
Dec 20 at 7:28
@Tim additionally,
login
isn’t often involved when logging in; for example, logging in using a display manager, or connecting with SSH, doesn’t involve login
.– Stephen Kitt
Dec 20 at 8:41
@Tim additionally,
login
isn’t often involved when logging in; for example, logging in using a display manager, or connecting with SSH, doesn’t involve login
.– Stephen Kitt
Dec 20 at 8:41
I reverted @Tims edits, and then incorporated the bits that were useful: changed layout of answer, so it maps better to the question. (there were many bits that were incorrect or misleading).
– ctrl-alt-delor
Dec 20 at 19:47
I reverted @Tims edits, and then incorporated the bits that were useful: changed layout of answer, so it maps better to the question. (there were many bits that were incorrect or misleading).
– ctrl-alt-delor
Dec 20 at 19:47
|
show 2 more comments
2
I do not understand the point of the question. Where is the complication or novelty of a user setting up his own crontab?
– Rui F Ribeiro
Dec 19 at 13:49
1
crontab -u user -e
– RubberStamp
Dec 19 at 13:53
1
A process doesn't have an owner until it's started, so that part of the question should be reworded, I think.
– Jeff Schaller
Dec 19 at 13:53
2
Possible duplicate of su options - running command as another user
– muru
Dec 19 at 13:56
>If I want to run a process ~as~ and become its owner without logging in .... The question is now a completely different topic.
– RubberStamp
Dec 19 at 13:59