TechEarl

How to Run a Command as Another User (sudo -u)

Run a command as a different user with sudo -u or runuser, including as a service account that has no login shell, and the difference between the two.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Run a command as a different user with sudo -u or runuser, including as a service account with no login shell.

To run a single command as another user, use sudo -u:

bash
sudo -u deploy whoami
Root terminal showing whoami returning root, then sudo -u deploy whoami returning deploy, and sudo -u deploy id showing the deploy user's uid and groups.
sudo -u deploy runs the command with deploy's identity, not root's. id confirms the switched uid and groups.

The common real cases

bash
sudo -u postgres psql                       # run a DB client as the DB's own user
sudo -u www-data php artisan migrate         # run an app command as the web user
sudo -u deploy bash -c 'cd ~ && ./deploy.sh' # a small script as the deploy user

Running as the service's own user matters because files the command creates end up owned correctly. Running a web app's CLI as root, then having the web server (as www-data) unable to read the files it just wrote, is a classic self-inflicted permissions bug.

sudo -u a service account with no login shell

Service accounts often have nologin as their shell, so you cannot su into them interactively. sudo -u does not need a login shell, so it still works:

bash
sudo -u appsvc /opt/app/bin/worker --once

That runs the worker as appsvc even though nobody can log in as appsvc.

sudo -u vs su vs runuser

CommandNeedsRuns asNotes
sudo -u user cmdyour sudo rightstarget userPer-command, audited, no target password. The usual choice.
su - user -c 'cmd'the target user's password (or root)target userStarts a login shell; needs the target's password unless you are root.
runuser -u user -- cmdroottarget userLike su but no PAM password prompt; for scripts run as root.

sudo -u is the right tool interactively because it uses your credentials and is logged. runuser is the scripting tool when you are already root and want no prompt.

Get an interactive shell as the user

bash
sudo -u deploy -i        # an interactive login shell as deploy
sudo -u deploy -s        # a non-login shell as deploy

-i simulates a full login (loads their environment and dotfiles); -s just starts a shell with the current environment.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxsudorunusersuSecuritySystem Administration

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

Network

How to Run a DNS Health Check on Your Domain

A practical DNS health check covers nameservers, A and AAAA records, MX, SPF, DKIM, DMARC, and CAA. Here is the full checklist, what each record actually tells you, and how to verify all of them in one pass.

AI

How to Run a Local LLM with Ollama

Run a local LLM with Ollama: install, pull a model, the hardware floor, picking between Llama, Mistral, and Qwen, and when local is faster than cloud (and when it isn't).