Execute commands as another user | 23 comments | Create New Account
Jun 02, 2009 Hi I am a recent user of Mac and wondering about something. If I wanted to change the directory I am looking at in Command prompt in MSwindows I use a command, like unix/linux cd. If I want to change the drive I want to explore in MS windows I use c: or d: or which ever drive I want to explore. May 12, 2020 Like many other Linux terminal commands, chmod dates back to Unix from the 1970s—Linux and macOS both share this heritage, which is why the chmod command is available in macOS today. To use chmod, open a terminal window. You can do this by pressing the Launchpad icon on the Dock and clicking the “Terminal” option in the “Other” folder.
Define 'active user'. If the question is 'who is the logged in user', then 'who am i' or 'whoami' is fine (though they give different answers - 'whoami' reports just a user name; 'who am i' reports on terminal and login time too). If the question is 'which user ID is the effective ID for the shell', then it is often better to use 'id'. The ONLY place I've ever used anything like this is in a Web perl-CGI that needed to be executed with root priveleges, but run as a specific user (specifically because I was remote logging into machines where I didn't have a root password). Using 'su' without the '-' uses the current user.
Click here to return to the 'Execute commands as another user' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
You should really use sudo for this. Just type:
sudo -u usernamecommand
Not only is it easier, but it's also very customizable -- you can control which users can execute which programs as what users.
-Esme
You can also use the following to become the root user (if you have sudo access and authorization to execute the command): sudo -s It will then prompt you for your password; enter the one you use to login.
This next command is helpful if you want to run a series of commands as another user (after you are root, naturally): su username
This method is much safer than logging in as root; you don't even have to enalbe the root password. I've been using UNIX for years, and I haven't enabled the root password on any of my Macs without loosing any flexibility.
su bob will work just fine if all you want to do is change to another identity; you don't need to su to root first if you know that id's password. At the password prompt, just type 'bob's' password.
This of course only works if you an administrator. You can't su to root or any other user if you are not an admin on the box.
Only users in group 'wheel' (normally gid 0) or group 'admin' (normally gid 20) can su to 'root'.
The su command will work as ANY user, regardless of privilege. If I am logged in as 'sam' and wish to execute commands as 'joe', I type: su joe and then enter the password for the user 'joe'. No admin privileges necessary, just password knowledge. I frequently use this command on UNIX-like machines to help friends or perform some tasks when they are logged into the machine. I often su to my account to access a file, for example.
su stands for 'substitute user identity'. This is exactly what the utilty is there for. Most of the time you are changing to root, but you can change to any user (more or less.) Dan PS Try 'man su' at a command line.
sudo -u [username] [command] It's simpler to just use sudo. Then you don't need to enter the root password, and you don't need to know the user's password.
I guess this was covered in the first reply. That'll teach me for starting a post, forgetting about it, and then submitting it a couple of hours later. Anyways, sudo is your friend. man sudo man sudoers man visudo and you'll find a wealth of information on how to do all kinds of things with permissions. You can do some pretty cool things with sudo.
Note, it is often preferred to execute the command this way:
The presence of the hyphen means 'use the new user's environment'.. otherwise the su command will not overwrite the old user's environment variables.
Yet another hint that requires root to be enabled when, as has been pointed out by many others, sudo is what you want to be using! root does NOT and should NOT, EVER, need to be enabled for 99.9% of all Mac OS X systems. (Yes, there are other enterprise/server/speciality environments where having root enabled for various reasons is appropriate and accepted; I'm NOT talking about those here.) You can and should do EVERYTHING with sudo. You can get a root shell with sudo. You can execute any command as any other user as sudo. You can BECOME other users with sudo. Why do people insist on enabling and using root? And for the lazy, if you really just refuse to learn any of sudo's capabilities, at a bare minimum, just use 'sudo su' - that right there gives you a root shell, where literally ANYTHING can be done, and is the exact functional equivalent of using 'su' and using root's password. Repeat: you do NOT need root enabled; you do NOT need to be using 'su' by itself. Reasons: 1. Getting into the habit of not having root enabled discourages unnecessary uses of root (like logging in as root via the gui), where much harm can be done. Say whatever you will; this is still a good practice. 2. You REALLY CAN do ANYTHING with sudo, just as conveniently. 'It's more convenient/quicker/etc to just use su' is NOT a valid excuse, and is totally untrue: if you really need a full root shell, 'sudo su' or 'sudo -s' gets you one! 3. Having the root account enabled fundamentally exposes you to more exploit possibilities. 4. Encouraging people to use tools like sudo also encourages learning, and more responsible and wise use of the tools at our disposal. sudo: learn it. Rob, I'd actually consider removing this hint, or amending it to say something like 'sudo su <user>', which accomplishes the same thing, or any number of the other alternate other suggestions that use sudo.
You know, preaching to people on why not to use root is really pointless. If they want to use root, they will. It's really none of your concern. You don't like using root? Fine. Don't. Screaming about it whenever someone else mentions using it doesn't help.
You don't like using root? Fine. Don't. Screaming about it whenever someone else mentions using it doesn't help.
Actually, it helped a lot; I didn't really think about some of the points he brought up. Inasmuch as this is a HINTS website, you know, a place where some of us come to learn things that we previously didn't know or hadn't figured out on our own about OS X (including the CLI/ UNIX'ish underpinnings of it, I think that the original poster's comments were infact very helpful. Yours, on the otherhand, was pure flamebait.
Not to mention the fact that sudo as a command can't properly be tailored to a particular system unless someone on the system has access to /etc/sudoers for editing -- ie, is root. Any properly managed UNIX system needs root access. The trick is to confine root use only to managing the system, not as a general purpose user. -- el bid
Mac OS X is configured so that all administrators are placed in the admin (80) group, and the admin group is given sudo privileges in /etc/sudoers. Therefore, administrators can edit /etc/sudoers by 'sudo visudo', and can create more groups and assign individual non-admin users or groups whatever sudo privileges they merit (none, by default). If an administrator removes the admin group's permission to edit the config file, root has to be enabled, but that's why you only give admin access to people you trust! Mac OS X does not need root access to be properly managed because administrators have the privileges to temporarily become root (via sudo) to do anything that needs to be done, and this is without sharing one root password among (potentially) multiple administrators. -Alex Hill
I discovered this trick some time ago, but didn't find it useful because I couldn't get any apps that run graphically to work. For example, if I cd to /Applications/Calculator.app/Contents/MacOS and run Calculator, I get: kCGErrorIllegalArgument : initCGDisplayState: cannot map display interlocks. kCGErrorIllegalArgument : CGSNewConnection cannot get connection port INIT_Processeses(), could not establish the default connection to the WindowServer.Abort The same exact process works if I'm not su'ed to another user. Am I missing something?
'open' will open the command on whatever users display it is executed under. if they arent logged in, they dont have a display. you can ssh in as the logged in user, and run open, and it will work.
This is similar to the way displays are handled on Xwindows with xhost set to -, only I don't think there's any way to allow all hosts to connect to OSX's display (I haven't seen one yet, at least). The purpose of xhosts on Xwindows systems is to allow other hosts to connect to and bring up windows on your display. On an Xwindows system, typing 'xhost -' disables anyone else from sending a window to your display. If you've got X11 or XFree86 installed, try the following: start X11 launch an xterm xhost + (or xhost + [your machine/remote machine]) echo $DISPLAY su - [some other user] echo $DISPLAY note that the display won't be set for this user, so you won't be able to launch any new Xwindows from here - try one: xterm (error about Can't open display) if using csh, tcsh, or zsh type setenv DISPLAY [use value from DISPLAY above] otherwise, type export DISPLAY=[value from DISPLAY above] xterm the xterm is now be launched as the other user on your display. btw, setting and leaving xhost + is a BAD IDEA, because anyone can send a window to your display, and it could look like another window you have open (tricking you into sending them information you don't want to send), or they could send you annoying pictures or ads (hey admin, Al's looking at porn again.. no I'm no.. - where the heck did that come from!?!).
The short answer is, no. Under Mac OS X, you can't launch an application as another user (other than root).
Pardon my ignorance as I am very new to all this, but is there a way to change a user like this, and then perform tasks as that user in the Finder? (without loggin out) Or does this switch mentioned in this hint only apply for the Terminal session and to commands entered within the Terminal? Let's say, for instance, I wanted to make a slight change in a file within the System Library, but can't unless I'm root (or I change the permissions for said file).. Can I enter a command in the Terminal to change my UID so I can go and make the change as 'root', then enter another command to switch back to my UID?
Nope: you'll be root in the terminal if you execute a command such as sudo -s (this will be indicated with the '#' prompt), but changing your terminal identity this way doesn't affect the GUI: the critical windowing processes that are doing all the heavy lifting were started by the user who logged in via the GUI, and that's not going to change without a logout (or a change in the way that apple implements this stuff so that there can be multiple, swappable sessions on the go at the same time, with only one 'visible'). Cheers, Paul
Terminal Command For Selecting Current User Macos X
I've used sudo and su a lot, and there are reasons for using one or the other. By what you're saying, you want to edit a file you don't own, which you can do by using 'sudo command', where command is the command you want to do (with any required parameters). Say I want to edit /etc/passwd (for some reason) I would type sudo vim /etc/passwd [my normal password] This file is opened for editing as root, but when I save it and exit, I'm back to being my normal user. Additional sudo commands done within the next 5 minutes don't need a password (and the timer resets with each call, so if you edit a bunch of files within 5 minutes of each other you can potentially chain hours or days together), so as long as you keep doing sudos, you won't need to authenticate yourself each time. The 5 minute limit is to ensure you don't walk away from your keyboard and give someone else temporary root. I almost never use sudo -s, unless I need to do a ton of actions as root (debugging an install, for instance). With sudo -s you're leaving a door open in your system. For the most part, it's not that dangerous if you're just doing it at home, but you never know when the feds are going to wiretap your home for all those napster downloads.. A few notes about 'su': using su instead of sudo makes your effective user ID=root (euid) as well as your uid. This has implications if you're running programs that have the sticky bit set that do a setuid or setgid - er, in English, that's programs that run as a different user than the owner of them and the program itself runs some part of itself as a different user. The ONLY place I've ever used anything like this is in a Web perl-CGI that needed to be executed with root priveleges, but run as a specific user (specifically because I was remote logging into machines where I didn't have a root password). Macbook pro refresh. using 'su' without the '-' uses the current user's shell and environment variables. This is handy if you want to figure out problems with another user's shell variables. I've used this FAR too much (usually because of slow logins due to stale remote mounts or someone putting Xwindows display settings in their .cshrc). The su I'm describing above is always 'su username' though - you really never need 'su -' unless you need your effective user ID set.
Terminal Command For Selecting Current User Macos Mac
You can actually use GUI programs as root without logging out—it just involves restarting the program you want to use as root. So, on the rare occasion I need to use the Finder as root, I osascript -e 'tell app 'Finder' to quit' sudo /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder If you look up the Finder's PID, you could also quit it with sudo kill -HUP <finder_pid> but I'm not sure if the Finder will quit cleanly that way. When you're done, you can quit the same way, and start the Finder as yourself as above without the sudo, or by clicking in the Dock. My slight guesswork explanation as to why this works is that root, having access to everything, has access to your display interlocks (whatever those are), and so can use your display. I imagine that with the appropriate tweaking of groups and permissions that you could set up your computer to allow you to use your display as other users, too. MJ