Skip to main content

Linux: Impersonating Users

NOTE: This page was created to generalize the technique of impersonating a system account that has no defined shell, and no known password. Specifically, it was documented as a means to add functionality to a Jenkins build server (where the jenkins account has a disabled shell).

Solution

If you come across a software package on a Linux host that runs with a system account (one without a known password or defined shell), here are ways to do things as a system account user.

The above check in /etc/passwd will indicate what shell is defined for the Jenkins user.

Normally, it will be set to: /bin/false.
This means that the user's shell is disabled.

Obviously the above screenshot indicates the jenkins shell is: /bin/bash.
But, this was set as a permanent fix, that could have been a drastic solution, and not totally necessary, since we've learned since then.

Here are a couple of things we can do, when we must install things for the jenkins user (that will execute them).

sudo su-u jenkins -s --shell /bin/bash
  1. Temporarily switch to the Jenkins user (if jenkins has no valid shell).
    If the login shell is /bin/false or /user/sbin/nologin, you won't be able to use su jenkins directly.
    Instead, you can run either of these:

    Or:

    sudo -u jenkins bash

    This gives you a shell as jenkins.

  2. Permanent Change (If You Want to Allow Logins)

    If you want to enable login for the jenkins user, you can change its shell to /bin/bash:

    sudo usermod -s /bin/bash jenkins

    Now, you can switch users normally with:
    sudo su jenkins

    Or (if running as root):
    su - jenkins

  3. Running a Specific Command as the Jenkins User

    If you only need to run a single command as jenkins, you can use:

    sudo su jenkins <command>

    For example:

    sudo -u jenkins whoami

    Or:

    sudo -u jenkins ssh-keygen -t rsa -b 4096 -f /var/lib/jenkins/.ssh/id_rsa

Examples

Here are examples of how to use the above technique to impersonate a user.

Installing SSH Keys
sudo -u jenkins mkdir -p /var/lib/jenkins/.ssh
sudo -u jenkins chmod 700 /var/lib/jenkins/.ssh
sudo -u jenkins ssh-keygen -t rsa -b 4096 -f /var/lib/jenkins/.ssh/id_rsa
Configuring Git for a Jenkins User
sudo -u jenkins git config --global user.name "Jenkins CI"
sudo -u jenkins git config --global user.email "jenkins@example.com"
Getting Environment Variables for a User
sudo -u jenkins env

Back to top