TechEarl

How to Run a Command as Another User (sudo -u)

Run a command as a different user with sudo -u or runuser, including as a service account that has no login shell, and the difference between the two.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Run a command as a different user with sudo -u or runuser, including as a service account with no login shell.

To run a single command as another user, use sudo -u:

bash
sudo -u deploy whoami
Root terminal showing whoami returning root, then sudo -u deploy whoami returning deploy, and sudo -u deploy id showing the deploy user's uid and groups.
sudo -u deploy runs the command with deploy's identity, not root's. id confirms the switched uid and groups.

The common real cases

bash
sudo -u postgres psql                       # run a DB client as the DB's own user
sudo -u www-data php artisan migrate         # run an app command as the web user
sudo -u deploy bash -c 'cd ~ && ./deploy.sh' # a small script as the deploy user

Running as the service's own user matters because files the command creates end up owned correctly. Running a web app's CLI as root, then having the web server (as www-data) unable to read the files it just wrote, is a classic self-inflicted permissions bug.

sudo -u a service account with no login shell

Service accounts often have nologin as their shell, so you cannot su into them interactively. sudo -u does not need a login shell, so it still works:

bash
sudo -u appsvc /opt/app/bin/worker --once

That runs the worker as appsvc even though nobody can log in as appsvc.

sudo -u vs su vs runuser

CommandNeedsRuns asNotes
sudo -u user cmdyour sudo rightstarget userPer-command, audited, no target password. The usual choice.
su - user -c 'cmd'the target user's password (or root)target userStarts a login shell; needs the target's password unless you are root.
runuser -u user -- cmdroottarget userLike su but no PAM password prompt; for scripts run as root.

sudo -u is the right tool interactively because it uses your credentials and is logged. runuser is the scripting tool when you are already root and want no prompt.

Get an interactive shell as the user

bash
sudo -u deploy -i        # an interactive login shell as deploy
sudo -u deploy -s        # a non-login shell as deploy

-i simulates a full login (loads their environment and dotfiles); -s just starts a shell with the current environment.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxsudorunusersuSecuritySystem Administration

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

A practical DNS health check walkthrough. Cover NS, A, AAAA, MX, SPF, DKIM, DMARC, CAA, DNSSEC in one pass, with real examples and fixes for the most common misconfigurations.
Network

How to Run a DNS Health Check on Your Domain

A practical DNS health check covers nameservers, A and AAAA records, MX, SPF, DKIM, DMARC, and CAA. Here is the full checklist, what each record actually tells you, and how to verify all of them in one pass.

Crack bcrypt with hashcat -m 3200, understand why it is thousands of times slower than MD5, what the cost factor does to crack time, and the only attack that makes sense.
Security

How to Crack a bcrypt Hash (and Why It's So Slow)

bcrypt is the hash you mostly cannot crack, and that is the point. I cover the hashcat command (-m 3200), why bcrypt is deliberately glacial, how the cost factor multiplies crack time, realistic GPU expectations, and the only attack worth running against it. Tested on hashcat 7.1.2.

Run a local LLM with Ollama: install, pull a model, hardware floor, picking between Llama, Mistral, Qwen. When local beats cloud and when it doesn't.
AI

How to Run a Local LLM with Ollama

Run a local LLM with Ollama: install, pull a model, the hardware floor, picking between Llama, Mistral, and Qwen, and when local is faster than cloud (and when it isn't).