Supporting users on Linux and Unix
Archive - Originally posted on "The Horse's Mouth" - 2006-04-13 05:07:11 - Graham EllisQ: If you're the administrator on a Linux or Unix system and you want to help a user look after some of the files and directories, or run applications, under their own account, what's the best login to use?
A: You should be logged in as if you were the user him/herself
Q: Why?
A: Because you want the ownerships of any file system objects you create, and processes, and any logs to be assigned back to that user, and you want the environment (PATH etc) to be the one that the user would be using as well.
Q: Does this mean I have to ask the user to give me his / her password then?
A: No. certainly not. Here's what you should do:
a) Log in as normal through YOUR OWN user account
b) Use the command su - to become the administrator ... and, yes, you need the root password to do this
c) Then use the command su - george to become the user george. You will NOT be asked for George's password, since the administrator can "su" to any other account without giving one - he/she has already logged in and gained sufficient authority via the root account.
Q: Is that real a minus sign after the su command? Is it needed?
A: Yes, it is, yes it is. It tells the su command to set up a new environment for you using the settings for the user that you're about to become. Without it, you'll be running with your original users environment, but with the new user's authorities. Occasionally that's convenient if you have a lot of aliases but it can leave some huge security loopholes and it means that you won't be seeing the system in the same way the user will, meaning that you won't (for example) be able to exactly reproduce any problems that he's calling for support on.