Run Part of a Shell Script as a Different User With Runuser

Last updated: June 10, 2022

Reviewed by: Hiks Gerganov

1. Introduction

Sometimes when writing a script on Linux, it's necessary to run commands as another user.

In this article, we'll discuss how that's achieved with the command runuser. Also, we'll look at how to automate, so that we don't require user authentication, and how to manage user permissions.

2. Using runuser

The command runuser changes the user that runs a command. runuser is similar to the su command, but it differs slightly.

For instance, only the root user can call runuser. Therefore, it will not prompt for a password. This behavior is well-suited for scripting, and later in the article, we'll look at using it with sudo to give access to specific commands to unprivileged users.

To specify the user to run a command as we can provide a name after the -u flag. Let's try running the command whoami with runuser:

# runuser -u baeldung whoami
baeldung

Here, we can see whoami ran as the user baeldung.

3. Using runuser in a Script

Let's put together a script in /home/baeldung/script.sh that simply outputs information about the current user.

#!/usr/bin/bash
echo "this script was run by $(whoami)"
echo "this script is running this command as $(runuser -u baeldung whoami)"

If we run this script as root, we can see the following output:

# /home/baeldung/script.sh
this script was run by root
this script is running this command as baeldung

This shows the user root ran the script and in the second line of output ran the command whoami as baeldung.

4. Permission Management

Let's look at a use case where combining runuser with sudo can offer more fine control over user permissions.

In this example, we want to enable user baeldung to execute a script that runs whoami as user. However, we don't want to allow baeldung to use whoami freely as user outside the script. To do so, we can use sudo to allow baeldung to run the script as root. Within the script, we can run whoami as user.

Let's look at setting up the script first. The only difference from the previous one is the target user we're giving runuser:

#!/usr/bin/bash
echo "this script was run by $(whoami)"
echo "this script is running this command as $(runuser -u user whoami)"

To avoid allowing the user to change the script and run arbitrary commands as root, we'll make the script owned by root. Let's use chown to change the file's owner to root:

# chown root script.sh

Next, let's allow baeldung to run the script as root. We'll use sudo, but we can also use su. Let's add the permissions by using the visudo command to add this line to the sudoers file:

baeldung ALL=(root) NOPASSWD: /home/baeldung/script.sh

To break that line down, it allows the user baeldung, on all hosts, as user root, with no password, to run the script /home/baeldung/script.sh.

Let's try running the script now. We'll run it from the user baeldung and use sudo to run it as root:

$ sudo /home/baeldung/script.sh
this script was run as root
this script is running this command as user

The script ran as root and then used runuser to switch to user and run whoami. sudo didn't ask for a password because of the permissions we set. Of course, runuser ran because the script was executed as root.

5. Conclusion

In this article, we discussed using runuser to change users while scripting. We also looked at managing user permissions to allow unprivileged users to run these scripts.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.