How to execute a command with admin privileges and access to files of the logged in user?

I have some problems understanding sudo. I am logged in on a terminal as an non-admin/non-root user. This "normal" user is not in the sudoers file (and shouldnt be, in my opinion).

Now I try to execute a command that needs admin/root privileges and also access to directories of my normal user – therefore I am not able to simply su into an admin or root user.

In my understanding sudo -u root should do the trick – however it doesn't accept the password for root (or admin if I try with my normal admin user). It only accepts the password of the "normal" user which seems to indicate that the -u username option doesn't work the way I expect it to work.

My expectation is that sudo -u root some_command executes some_command with the privileges of root and therefore it asks also for the password of root. Obviously not.

TL;DR: How do I execute any command that requires admin privileges AND has access to the files of the "logged in (normal) user" without adding the normal user to the sudoers file?

I have enabled the root user under Mac OS X 10.7.

robertj

Posted 2011-09-13T14:21:46.603

Reputation: 373

Answers

sudo always requires the executing user's password (and requires that you have specific permissions to do this, i.e. are one of the sudoers).

su requires the password of the target account (root by default, but root account has no password on OS X by default). If you use su instead, you can enter the destination account's password and execute a command using that user's privileges.

su -c some_cmd # as root
su username -c some_cmd # as username

^{This works by passing all arguments after the user name to the destination account's login shell. Shells usually support -c <commands> arguments. In GNU coreutils su, there's an actual -c command argument to su that can be placed before the user name.}

You can su to another user account (using the other user account's password), and sudo from there, provided that other account is a sudoer.

If you want neither to enter another account's password, nor give your regular account sudoers permissions, you're pretty much out of options unless you consider SSH with key authentication or something like that.

Daniel Beck

Posted 2011-09-13T14:21:46.603

Reputation: 98 421

Sudo doesn't always require password. Calling sudo updates timestamp and allows to run sudo without giving password for a couple of minutes (this varies between OSes). – solgar – 2017-01-10T14:44:06.677

Hi, thanks for the answer.

I am not sure if I do understand you correct. As far as I can tell if I su into root I will loose access to the files of the initially logged in user - however this is exactly what I need.

Let me be more concrete: I am using npm (node package manager) to install a self written package into the global package registry on my machine. For this to do i need access to "/usr/local/lib/node_modules/..." which the loggedin user (let say "robert") doesnt have. The package resides in "~/my_package". su doesnt help as it has no access to this folder (next comment) – robertj – 2011-09-13T21:29:25.227

and adding "robert" to the sudoers file seems like total overkill to me. – robertj – 2011-09-13T21:31:12.090

@robertj Root can access all users' files. So if you su without specifying a user, you're good. – Daniel Beck – 2011-09-14T08:03:21.360

I'm running OS X 10.8.3 and 'su -c' is not recognized as a valid option for me...: "su: illegal option -- c" – Motsel – 2013-05-23T07:23:35.793

@Daps0l Fixed, try the changed command. – Daniel Beck – 2013-05-23T17:40:29.830

Thanks! Is it also possible to combine this with sudo AND only have to type in the (same) password 1 time? Something like this: su username -c 'sudo some_cmd' – Motsel – 2013-05-24T12:18:55.327

@Daps0l Not that I know of, except by allowing username to run some_cmd as root all the time (look for NOPASSWD in man sudoers). (If the down vote I received for this answer is yours, I'd appreciate if you could undo that) – Daniel Beck – 2013-05-24T13:39:05.127

Unless you really "need" to maintain a separate root user on Mac OS X, it's often much easier to just get a root shell using sudo -s

In your case, non-admin users are not included in /etc/sudoers - so you would have to add by hand the users/groups you intend to have sudo accept.

# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

Once that's done, sudo will inherits almost all of the nice things from your shell like PATH and other variables, but elevates your non-admin user instantly to root. The downside of enabling root is time and the security risk of someone actually logging in locally or remotely as root.

Keep in mind, sudo is asking for the password of the user that logged in to the loginwindow screen. su - wants the password of the root account, sudo -s uses privilege escalation to use the current user's password to become root without needing any (or in your case, the actual) root password.

bmike

Posted 2011-09-13T14:21:46.603

Reputation: 2 773

If you are using a standard account (usually for security reasons) and you know an administrator username and password, you can do su -l admin_user. After entering the password, you are now, for all effects, acting as that administrator. Then you can sudo to your heart's content. Now, just logout to go back to your original plain account.

Erik Neves

Posted 2011-09-13T14:21:46.603

Reputation: 21

my terminal executable cannot achieve what it will itself, but by doing that annoying operation:

Open App>Utility>Terminal.app;

~ user$ sudo /PATH_TO_TERMINAL_EXEC

Get administrator privileges;

Done.

... That's what is inside terminal_executable

#!/bin/bash

echo PATCHING HOSTS FILE...!
echo  >> /etc/hosts
echo \# IsPatched >> /etc/hosts
echo 127.0.0.1 somewebsite.com >> /etc/hosts

... What I have already tried is

#!/bin/bash

tmpvar=$(whoami)
echo TRYING!
su $tmpvar echo 127.0.0.1 somesite.com >> /etc/hosts

su cuskus -c sudo -s echo 127.0.0.1 somesite.com >> /etc/hosts

just got #!/bin/bash window after asking for password but cannot execute any code because of privileges.

cuskus

Posted 2011-09-13T14:21:46.603

Reputation: 1

This solved my problem: http://superuser.com/a/1021174/622740

– cuskus – 2016-07-30T09:24:18.903