Description of problem: It seems that when "runuser" executes something, with user ID, it does not clean up (sanitize) the environment. This leads to problems whenever some environmental variable is used by the executed process, leading, for example, to permission problems. Version-Release number of selected component (if applicable): util-linux-2.25.2-3.fc21.x86_64 How reproducible: Always Steps to Reproduce: 1. As root: /bin/mkdir -p /tmp/root -m 700 export TMPDIR=/tmp/root 2. runuser -u someuser somecommand_using $TMPDIR Actual results: Usually the "somecommand_using" fails, because it gets $TMPDIR from root environment, with root permissions only (which are not for all, in this example). Expected results: Well, likely "runuser" should clean up all environmental variables not strictly needed and / or replace the needed ones ($PATH maybe?) with proper values. Additional info: In Ubuntu / Debian there is "runas", which does indeed clean up the environment before running a command as user. Hope this helps, bye, pg
man runuser: For backward compatibility, runuser defaults to not change the current directory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is not root). ... -, -l, --login Start the shell as a login shell with an environment similar to a real login: o clears all the environment variables except for TERM o initializes the environment variables HOME, SHELL, USER, LOGNAME, PATH o changes to the target user's home directory o sets argv[0] of the shell to '-' in order to make the shell a login shell
Hi Karel, thanks for the information, but that's not really the same, unless I'm missing something. runuser -u user ls /var/tmp <content of /var/tmp> runuser - user ls /var/tmp /bin/ls: /bin/ls: cannot execute binary file Of course, it seems to work with something like: runuser - user -c 'ls /var/tmp' So, yes, the "-l" option has that feature, but it does not really allow to execute a command. The "-c" I'm not sure it is really correct. Maybe I forgot to mention, this command should run in a script executed by root, doing something like "rpmbuild" or similar, as a non-root user. Clearly, if "-c" is the correct way to go, then I can change to that. Thanks again, bye, pg
Yes, "-c" is necessary. Unfortunately, we cannot change the current behavior (due to backward compatibility) to clear environment for "-u". Maybe introduce a new option for this functionality. Anyway, you need -c for now.