3

On a CentOS server where I'm logged via SSH as root, I do:

su otherusername

where 'otherusername' is the user name of another user, which exists.

It does nothing. After that, I'm still root. whoami returns root, any file I create belongs to root, that is, su just doesn't su.

However it does not give any error message. If I try to su with an invalid user name it does give an error message.

What am I missing??

matteo
  • 731
  • 2
  • 9
  • 21
  • 1
    Does otherusername have a valid shell in `/etc/passwd`? – Ladadadada Jun 10 '12 at 22:42
  • @Ladadadada Yeah, that's about the only way I've ever seen that occur. You really ought to toss that in an answer with some technical explanation around shells. That's be worth a few upvotes. – Magellan Jun 10 '12 at 23:40
  • Oh I see! No, the user does not have a shell. Is there a good reason for not giving an error message in these cases, though? – matteo Jun 11 '12 at 06:22
  • @Adrian It's as good a guess as any, done. – Ladadadada Jun 11 '12 at 09:15
  • 2
    @matteo if there's no valid shell for a user in /etc/passwd, the 'su' command assumes it was done that way for a reason. It does return a '1' for errolevel though, if I remember correctly. You can test for that if you're scripting something. – Magellan Jun 11 '12 at 17:05

1 Answers1

7

Does otherusername have a valid shell in /etc/passwd?

What su does is execute a process as another user. The process it chooses by default is whatever is in the last field in /etc/passwd for the user in question. This is usually a shell such as /bin/sh or /bin/bash. When that process ends, you are dumped back into the original shell you started in, owned by root.

As far as su is concerned, it has successfully switched to the correct user so no error message is required. It then hands control off to the configured shell by executing that. If this shell is something like /bin/false, it will simply do what /bin/false always does, which is exit with a 1 (false) status, dropping you back to the parent shell owned by the root user. /bin/true does the same thing but with a status of 0 (true).

Other pseudo-shells may exhibit different behaviour. For instance, /usr/sbin/nologin echoes

This account is currently not available.

before exiting with 1.

You can change the configured shell for a user with usermod -s /bin/bash otherusername as the root user.

You may see similar confusing behaviour around sudo if you use it with cd. If you are a normal user and can't cd into a directory, sudo cd directory will print no error message, will not change you to root and will not change your directory.

The reason for this is that it starts a new shell as root, changes directory to the correct directory and then immediately exits, leaving you back in your original shell in your original directory.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • 3
    To re-emphasise a point here - if there's an account you don't want to have shell access, you should usually set its shell to `/usr/sbin/nologin` rather than `/bin/false` so that it's clear that shell-access is disabled. – nickgrim Jun 11 '12 at 10:23
  • 1
    @nickgrim Actually, Ubuntu 12.04 uses /bin/false for system users that shouldn't have shells. – Magellan Jun 11 '12 at 17:03
  • and apparently centOS does too – matteo Jun 11 '12 at 22:23