According to https://unix.stackexchange.com/a/489913/674
cron jobs can run as any user, without that user being logged in.
root doesn’t need to log in to start the init process, thankfully (imagine handling a fleet of thousands of servers and millions of VMs otherwise);
If I want to run a process, with me as its owner, without logging in, how can I do that at both system/library call level and utility level?
If root wants to do that, how can it do it?
How can a service user which can’t log in start a process as its owner or become its owner later?
Is the only way to call setuid() or seteuid() in the program run by the process?
Thanks.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
There are 3 ways to change user of a process in Unix.
2 system level ways to change user of a process
- if the process has capability CAP_SETUID, traditionally root has this capability (and all other capabilities), then it can use
setuid,setreuid,setresuid,setfsuid, system calls, to change to any other user. Any other user can shuffle uids: A process has 3 uids, it can move them around, at will: it can swap them, or remove them until it is down to one. It can not adduids, unless it has capability CAP_SETUID. In general a process can only loose privileges or move them around, using these system calls. These calls allow the program to continue. execasuidexecutable: If an executable file has itssuidbit set, and if it is of a valid type (not a scripts, not java, not …), then when it is run, its effective user id is changed to that of the files owner. (same can be done for group withsgidbit). This is the only way to gain privileges. The current program ends whenexecis called, it is replaced with the new program, but it is the same process, it also inherits open files (e.g. stdin, stdout, stderr).
fork dose not change user.
A forked process is an exact duplicate of its parent, with a few exceptions (see man fork). In particular the uid, gid, and capabilities are not changed.
Utility methods
These programs use the 2 system methods described above.
- use
sudoorsu:suwill ask for the password of the other user.sudowill ask for your password, but will only work if you are registered in thesudoersfile.
sudo, su, login, cron etc use the 2 system methods. (And will create a new process. The other system methods do not create a new process.)
What does sudo, su do?
#↳ ll /usr/bin/sudo -rwsr-xr-x 1 root root 155K Sep 9 2017 /usr/bin/sudo*
As use can see the sudo executable is owned by root, and has the suid bit set (the s, where you would expect to see the first x).
When sudo is run, it runs as root (don’t try this, unless you know what you are doing). It then does security checks. Then it uses set??uid to become the required user, it then execs (and maybe a fork) the required program.
Running a process, without logging in
Use some timed start service.
- cron
- at
Send a network message, e.g. a web-server may run a task in response to a web request.
Use automated login: use ssh to launch a process, via a script on another machine.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0