Re: Maintainer scripts: execute command as another user: use sudo or su?

To: debian-mentors@lists.debian.org
Subject: Re: Maintainer scripts: execute command as another user: use sudo or su?
From: Russ Allbery <rra@debian.org>
Date: Wed, 26 Feb 2014 15:47:38 -0800
Message-id: <[🔎] 87y50xv3l1.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] CANqxmqEAYCazPWW0S9T1wOWSZjJOAJAFzXRBRyi10YuGEdV4yg@mail.gmail.com> (Emilien Klein's message of "Wed, 26 Feb 2014 16:07:35 +0100")
References: <[🔎] CANqxmqEAYCazPWW0S9T1wOWSZjJOAJAFzXRBRyi10YuGEdV4yg@mail.gmail.com>

Emilien Klein <emilien@klein.st> writes:

> TLDR: in order to execute a command as another user, should `sudo` or
> `su --command` be used?

su.  You don't want to depend on sudo to ensure that it's available, since
package users may not want sudo installed on their systems.  (I tend not
to install it on servers myself, since I use Kerberos authentication and
don't use any system that involves sending long-term keys to servers, such
as sudo's default password model.)

In addition, I recommend explicitly setting the shell to use when running
commands with su (using the -s flag).  Specialized users for running
particular applications normally should not have a valid shell, and
auditors will often require that they not have a valid shell.  You don't
want that sort of change (possibly required by local audit policies) to
break the package.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Maintainer scripts: execute command as another user: use sudo or su?
  - From: Emilien Klein <emilien@klein.st>

Prev by Date: Bug#739585: marked as done (RFS: qjoypad/4.1.0-1 ITP)
Next by Date: Bug#737493: RFS: iceowl-l10n/2.6.4-1 [NMU]
Previous by thread: Re: Maintainer scripts: execute command as another user: use sudo or su?
Next by thread: Re: Maintainer scripts: execute command as another user: use sudo or su?
Index(es):
- Date
- Thread