Introduction
The JS7 Agent for Unix is running in a specific user account and by default will execute jobs within the context and permissions of this account.
- Running a job as a different user includes to login as that user, optionally to load the user profile and to execute commands in this context.
- User switching applies to Shell Jobs and is performed by the built-in
sudo
andsu
capabilities of the operating system.
This article applies to the JS7 Agent for Unix only. For Windows environments see JS7 - Running Jobs as a different User
Basics
Users can choose to
- operate the Agent as the
root
run-time account:- This allows the Agent to execute any commands and scripts independently from ownership.
- This allows the Agent to switch to any user account using
su
. - It is not recommended to operate the Agent as
root
as this includes unlimited permissions and introduces security risks.
- operate the Agent as a
non-root
run-time account:- This allows to use
sudo
to switch to other user accounts. - This requires to configure
sudo
permissions for switching user accounts.
- This allows to use
Using su
from the root Account
If the Agent is operated from the root
account it can use the following command to switch to a different user account:
su -l <user> <<EOF whoami pwd EOF
Explanation:
<user>
is any user account available from the operating system for which a login is performed.- For execution of multiline commands a Here String is used:
- The commands between
<<EOF
(line 1) andEOF
(line 4) are executed usingsu
. - Instead of
EOF
any unique string can be used that does not match one of the commands to be executed. - Using
<<'EOF'
will prevent substitution of environment variables in a Here String.
- The commands between
- Executing
su
from the root account does not require to specify the account's password.
Using sudo
from a non-root Account
To allow user switching the Agent's run-time account can use sudo
like this:
sudo -su <user> <<EOF whoami pwd EOF
Explanation:
<user>
is any user account available from the operating system for which a login is performed.- For execution of multiline commands a Here String is used:
- The commands between
<<EOF
(line 1) andEOF
(line 4) are executed usingsudo
. - Instead of
EOF
any unique string can be used that does not match one of the commands to be executed. - Using
<<'EOF'
will prevent substitution of environment variables in a Here String.
- The commands between
- Executing
sudo
from a non-root account requires to specify thesudo
configuration. The location of thesudo
configuration file depends on the operating system, for example/etc/sudo.conf
or/etc/sudoers
.- Example
To allow the Agent run-time account to run jobs on user accounts
user1
,user2
the following setting can be used in thesudo
configuration file.<run-time-account> ALL=(user1, user2) NOPASSWD: ALL
To allow the Agent run-time account to run jobs on all user accounts the following setting can be used:
<run-time-account> ALL=(ALL) NOPASSWD: ALL
- Example
Using Script Includes
TBD