Linux – How to run a program as another user properly with “nohup” and “&” in bash

background-processbashlinuxnohup

I have been learning bash and linux administration over the past few months while producing more and more code that needs to run in the background. I would ideally like to run my development system closer to where it would be in production in order to avoid having to redevelop code due to security and permissions problems.

Generally, I would run something with:

$nohup <program> <program args> >> <program logfile> 2>&1 &

I.e.:

$nohup ping 192.168.0.1 >> ping.log 2>&1 &

However, today I tried to set it up properly by creating a user and giving them the correct permissions to only be able to access their own files and nothing else. It seems like a sensible security practice.

I would do it like so:

$sudo -u <program user> nohup <program> <program args> >> <program logfile> 2>&1 &

However, this results in the following output when I run ps aux | grep <program>:

<admin user>@server:~$ ps aux | grep <program>
root      1396  0.0  0.0  61868  3792 pts/38   S    10:50   0:00 sudo -u <program user> nohup <program> <program args>
<program user>  1397  0.0  0.8 1273232 68308 pts/38  Sl   10:50   0:02 <program> <program args>

The problem is the first line in the output: ideally, I would like to be able to run these programs without starting any processes with root-level permissions. How do I do that?

Best Answer

you can do it that way :

su - user -c "nohup ping 192.168.122.1 >> ping.log 2>&1 &"

Related Solutions

Linux – Understanding Memory Usage and Load Average

(1) I see that each of the running processes occupies a very small percentage of memory (%MEM no more than 0.2%, and most just 0.0%), but how the total memory is almost used as in the fourth line of output ("Mem: 130766620k total, 130161072k used, 605548k free, 919300k buffers")? The sum of used percentage of memory over all processes seems unlikely to achieve almost 100%, doesn't it?

To see how much memory you are currently using, run free -m. It will provide output like:

             total       used       free     shared    buffers     cached
Mem:          2012       1923         88          0         91        515
-/+ buffers/cache:       1316        695
Swap:         3153        256       2896

The top row 'used' (1923) value will almost always nearly match the top row mem value (2012). Since Linux likes to use any spare memory to cache disk blocks (515).

The key used figure to look at is the buffers/cache row used value (1316). This is how much space your applications are currently using. For best performance, this number should be less than your total (2012) memory. To prevent out of memory errors, it needs to be less than the total memory (2012) and swap space (3153).

If you wish to quickly see how much memory is free look at the buffers/cache row free value (695). This is the total memory (2012)- the actual used (1316). (2012 - 1316 = 696, not 695, this will just be a rounding issue)

(2) how to understand the load average on the first line ("load average: 14.04, 14.02, 14.00")?

This article on load average uses a nice traffic analogy and is the best one I've found so far: Understanding Linux CPU Load - when should you be worried?. In your case, as people pointed out:

On multi-processor system, the load is relative to the number of processor cores available. The "100% utilization" mark is 1.00 on a single-core system, 2.00, on a dual-core, 4.00 on a quad-core, etc.

So, with a load average of 14.00 and 24 cores, your server is far from being overloaded.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Linux – Understanding Memory Usage and Load Average

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic