On an Ubuntu 14 server I recently saw a strange error on stdout when I tried to launch a command as another user through "su -":
su - toto -m -c "/srv/tomcat/toto/bin/startup.sh"
-su: /root/.bash_profile: Permission denied
Using CATALINA_BASE: /srv/tomcat/toto
Using CATALINA_HOME: /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME: /srv/java
Using CLASSPATH: /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar
Tomcat started.
Although the command worked and was successfully executed, I was wondering about the Permission denied error on /root/.bash_profile. To fully (or even partly) understand how bash handles different types of shells, you should take a look at "man bash" and grep for INVOCATION. There it is written black on white (or white on black in a standard console) - unfortunately not very clear though. Luckily I found the following graphic a while ago which explains which type of shell is loading which files (the printed version of it is hanging behind me in my office by the way).
Source: http://www.solipsys.co.uk/new/BashInitialisationFiles.html
Because the shell environment of root is kept by using the -m parameter (preserve environment) and because of the "su -" which is interpreted as a login shell, the shell environment tries to read first /etc/profile and then
/root/.bash_profile. But because toto user cannot access /root/.bash_profile there comes this permission denied error.
If the /root folder would allow permission to be read by the toto user, the same command works fine without any permission denied error:
chmod 755 /root
su - toto -m -c "/srv/tomcat/toto/bin/shutdown.sh"
Using CATALINA_BASE: /srv/tomcat/toto
Using CATALINA_HOME: /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME: /srv/java
Using CLASSPATH: /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar
But granting access to /root is bad. There are other alternatives.
su can also be launched without a login shell (without the dash after su):
su toto -m -c "/srv/tomcat/toto/bin/startup.sh"
Using CATALINA_BASE: /srv/tomcat/toto
Using CATALINA_HOME: /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME: /srv/java
Using CLASSPATH: /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar
Tomcat started.
When the same command is launched without the login shell, it just reads the $BASH_ENV from the current session (from root), without trying to load any other files (from /root). Hence no permission denied error.
Rafael Horacio from wrote on Jul 24th, 2020:
Thanks a lot, I had a similar error here
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Observability Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder