22. Modified command invocation

This section describes commands that run other commands in some context different than the current one: a modified environment, as a different user, etc.

22.1 chroot: Run a command with a different root directory		Modify the root directory.
22.2 env: Run a command in a modified environment		Modify environment variables.
22.3 nice: Run a command with modified scheduling priority		Modify scheduling priority.
22.4 nohup: Run a command immune to hangups		Immunize to hangups.
22.5 su: Run a command with substitute user and group id		Modify user and group id.

22.1 chroot: Run a command with a different root directory

chroot runs a command with a specified root directory. On many systems, only the super-user can do this. Synopses:

chroot newroot [command [args]...] chroot option

Ordinarily, filenames are looked up starting at the root of the directory structure, i.e., `/'. chroot changes the root to the directory newroot (which must exist) and then runs command with optional args. If command is not specified, the default is the value of the SHELL environment variable or /bin/sh if not set, invoked with the `-i' option.

The only options are `--help' and `--version'. See section 2. Common options.

Here are a few tips to help avoid common problems in using chroot. To start with a simple example, make command refer to a statically linked binary. If you were to use a dynamically linked executable, then you'd have to arrange to have the shared libraries in the right place under your new root directory.

For example, if you create a statically linked `ls' executable, and put it in /tmp/empty, you can run this command as root:

$ chroot /tmp/empty /ls -Rl /

Then you'll see output like this:

/: total 1023 -rwxr-xr-x 1 0 0 1041745 Aug 16 11:17 ls

If you want to use a dynamically linked executable, say bash, then first run `ldd bash' to see what shared objects it needs. Then, in addition to copying the actual binary, also copy the listed files to the required positions under your intended new root directory. Finally, if the executable requires any other files (e.g., data, state, device files), copy them into place, too.

22.2 env: Run a command in a modified environment

env runs a command with a modified environment. Synopses:

env [option]... [name=value]... [command [args]...] env

Arguments of the form `variable=value' set the environment variable variable to value value. value may be empty (`variable='). Setting a variable to an empty value is different from unsetting it.

The first remaining argument specifies the program name to invoke; it is searched for according to the PATH environment variable. Any remaining arguments are passed as arguments to that program.

If no command name is specified following the environment specifications, the resulting environment is printed. This is like specifying a command name of printenv.

The program accepts the following options. Also see 2. Common options.

`-u name'

`--unset=name'

Remove variable name from the environment, if it was in the environment.

`-'

`-i'

`--ignore-environment'

Start with an empty environment, ignoring the inherited environment.

22.3 nice: Run a command with modified scheduling priority

nice prints or modifies the scheduling priority of a job. Synopsis:

nice [option]... [command [arg]...]

If no arguments are given, nice prints the current scheduling priority, which it inherited. Otherwise, nice runs the given command with its scheduling priority adjusted. If no adjustment is given, the priority of the command is incremented by 10. You must have appropriate privileges to specify a negative adjustment. The priority can be adjusted by nice over the range of -20 (the highest priority) to 19 (the lowest).

Because most shells have a built-in command by the same name, using the unadorned command name in a script or interactively may get you different functionality than that described here.

The program accepts the following option. Also see 2. Common options.

`-n adjustment'

`--adjustment=adjustment'

Add adjustment instead of 10 to the command's priority.

On older systems, nice supports an obsolete option `-adjustment'. POSIX 1003.1-2001 (see section 2.5 Standards conformance) does not allow this; use `-n adjustment' instead.

22.4 nohup: Run a command immune to hangups

nohup runs the given command with hangup signals ignored, so that the command can continue running in the background after you log out. Synopsis:

nohup command [arg]...

If standard output is a terminal, it is redirected so that it is appended to the file `nohup.out'; if that cannot be written to, it is appended to the file `$HOME/nohup.out'. If that cannot be written to, the command is not run.

If nohup creates either `nohup.out' or `$HOME/nohup.out', it creates it with no "group" or "other" access permissions. It does not change the permissions if the output file already existed.

If standard error is a terminal, it is redirected to the same file descriptor as the standard output.

nohup does not automatically put the command it runs in the background; you must do that explicitly, by ending the command line with an `&'. Also, nohup does not change the scheduling priority of command; use nice for that, e.g., `nohup nice command'.

The only options are `--help' and `--version'. See section 2. Common options.

Exit status:

126 if command was found but could not be invoked 127 if nohup itself failed or if command could not be found the exit status of command otherwise

22.5 su: Run a command with substitute user and group id

su allows one user to temporarily become another user. It runs a command (often an interactive shell) with the real and effective user id, group id, and supplemental groups of a given user. Synopsis:

su [option]... [user [arg]...]

If no user is given, the default is root, the super-user. The shell to use is taken from user's passwd entry, or `/bin/sh' if none is specified there. If user has a password, su prompts for the password unless run by a user with effective user id of zero (the super-user).

By default, su does not change the current directory. It sets the environment variables HOME and SHELL from the password entry for user, and if user is not the super-user, sets USER and LOGNAME to user. By default, the shell is not a login shell.

Any additional args are passed as additional arguments to the shell.

GNU su does not treat `/bin/sh' or any other shells specially (e.g., by setting argv[0] to `-su', passing -c only to certain shells, etc.).

su can optionally be compiled to use syslog to report failed, and optionally successful, su attempts. (If the system supports syslog.) However, GNU su does not check if the user is a member of the wheel group; see below.

The program accepts the following options. Also see 2. Common options.

`-c command'

`--command=command'

Pass command, a single command line to run, to the shell with a -c option instead of starting an interactive shell.

`-f'

`--fast'

Pass the -f option to the shell. This probably only makes sense if the shell run is csh or tcsh, for which the -f option prevents reading the startup file (`.cshrc'). With Bourne-like shells, the -f option disables file name pattern expansion (globbing), which is not likely to be useful.

`-'

`-l'

`--login'

Make the shell a login shell. This means the following. Unset all environment variables except TERM, HOME, and SHELL (which are set as described above), and USER and LOGNAME (which are set, even for the super-user, as described above), and set PATH to a compiled-in default value. Change to user's home directory. Prepend `-' to the shell's name, intended to make it read its login startup file(s).

`-m'

`-p'

`--preserve-environment'

Do not change the environment variables HOME, USER, LOGNAME, or SHELL. Run the shell given in the environment variable SHELL instead of the shell from user's passwd entry, unless the user running su is not the superuser and user's shell is restricted. A restricted shell is one that is not listed in the file `/etc/shells', or in a compiled-in list if that file does not exist. Parts of what this option does can be overridden by --login and --shell.

`-s shell'

`--shell=shell'

Run shell instead of the shell from user's passwd entry, unless the user running su is not the superuser and user's shell is restricted (see `-m' just above).

Why GNU su does not support the `wheel' group

(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.