Skip to main content

Linux: Impersonating Users

NOTE: This page was created to generalize the technique of impersonating a system account that has no defined shell, and no known password. Specifically, it was documented as a means to add functionality to a Jenkins build server (where the jenkins account has a disabled shell).

Solution

If you come across a software package on a Linux host that runs with a system account (one without a known password or defined shell), here are ways to do things as a system account user.

The above check in /etc/passwd will indicate what shell is defined for the Jenkins user.

Normally, it will be set to: /bin/false.
This means that the user's shell is disabled.

Obviously the above screenshot indicates the jenkins shell is: /bin/bash.
But, this was set as a permanent fix, that could have been a drastic solution, and not totally necessary, since we've learned since then.

Here are a couple of things we can do, when we must install things for the jenkins user (that will execute them).

1. Temporarily switch to Another User (if it has no defined shell).

If the login shell is /bin/false or /user/sbin/nologin, you won't be able to use su jenkins directly.
Instead, you can run either of these:

sudo -u jenkins -s --shell /bin/bash

Or:

sudo -u jenkins bash

This gives you a shell as jenkins.

2. Permanent Change (If You Want to Allow Logins)

If you want to enable login for the jenkins user, you can change its shell to /bin/bash:

sudo usermod -s /bin/bash jenkins

Now, you can switch users normally with:
sudo su jenkins

Or (if running as root):
su - jenkins

3. Running a Specific Command as the Jenkins User

If you only need to run a single command as jenkins, you can use:

sudo su jenkins <command>

For example:

sudo -u jenkins whoami

Or:

sudo -u jenkins ssh-keygen -t rsa -b 4096 -f /var/lib/jenkins/.ssh/id_rsa

Examples

Here are examples of how to use the above technique to impersonate a user.

Installing SSH Keys
sudo -u jenkins mkdir -p /var/lib/jenkins/.ssh
sudo -u jenkins chmod 700 /var/lib/jenkins/.ssh
sudo -u jenkins ssh-keygen -t rsa -b 4096 -f /var/lib/jenkins/.ssh/id_rsa
Configuring Git for a Jenkins User
sudo -u jenkins git config --global user.name "Jenkins CI"
sudo -u jenkins git config --global user.email "jenkins@example.com"
Getting Environment Variables for a User
sudo -u jenkins env

No Comments
Back to top