How can I run a shell as a user that has no shell access?

Question

Maybe I'm not using the right terms so allow me to explain myself using an example. Connecting over SSH as user "centos" and executing cat /etc/passwd in my Centos7 machine I get:

centos:x:1000:1000:Cloud User:/home/centos:/bin/bash
www:x:1001:1001::/home/www:/sbin/nologin

Now, if try sudo su www - I get: This account is currently not available.

That according to my limited knowledge is due to the nologin part. What I want to do is to be able to switch to the www user in the SSH session without (if possible) giving the www user the possibility to access directly the server over SSH, like when the root user tries to SSH and get an error telling that you are supposed to log in as centos and then change to root if needed.

What will be the steps to achieve the desired behavior?

"shell access" kind of implies that user being able to log in directly. Sure, you could block them from SSH specifically, but still allow password logins on a console terminal, serial port, or other place where you could run a getty daemon. So that answers your question title, rather than what you're actually asking (about starting a shell as another user that can't login directly.) — Peter Cordes, Dec 10 '21 at 14:05
I'll grant deman this, the title of the question is poorly worded compared to what the asker is actually trying to achieve per the text. Fixing. — Shadur, Dec 11 '21 at 09:14

score 36 · Answer 1 · answered Dec 09 '21 at 13:21

36

Just run a shell under the user.

sudo -u www bash

answered Dec 09 '21 at 13:21

Gerald Schneider

23,274
8
57
89

score 17 · Answer 2 · answered Dec 09 '21 at 21:35

17

The su command takes a shell option (-s), so you can specify which shell to use, allowing you to become the user.

sudo su www -s /bin/bash

answered Dec 09 '21 at 21:35

yoozer8

322
2
12

score 3 · Answer 3 · answered Dec 10 '21 at 22:32

3

The command syntax you're looking for is sudo -u www -s

This will drop you into a shell as the www user even if they don't have a shell normally.

answered Dec 10 '21 at 22:32

Shadur

1,337
1
11
20

score -5 · Answer 4 · answered Dec 10 '21 at 18:08

-5

Yes, you need to alter /etc/passwd - set a valid shell for this user. In order to run commands as this user, sudo -u www might help.

answered Dec 10 '21 at 18:08

deman_killer

38
6

4

That's 1) not what they asked and 2) even if it were this would be *terrible advice* to give to someone who's clearly unused to unix. Do **NOT** edit `passwd` manually if there is *any* alternative available. – Shadur Dec 10 '21 at 22:31
It is the right answer for the title and diag. But detailed question is different. Why not drop question's rate? – deman_killer Dec 10 '21 at 23:16
2

It's terrible advice to access service accounts with a secure shell. – deman_killer Dec 10 '21 at 23:17
3

If you answered the title without reading the question then you deserve that -1 even more. – Shadur Dec 10 '21 at 23:17
Would you kindly? – deman_killer Dec 10 '21 at 23:19
2

Additionally: it only answers how to add the shell. You could at least add how to prevent SSH access. – Gerald Schneider Dec 11 '21 at 06:27

How can I run a shell as a user that has no shell access?

4 Answers4