Permission denied error on /root/.bash_profile when running su command

Written by - 1 comments

Published on - Listed in Linux Shell


On an Ubuntu 14 server I recently saw a strange error on stdout when I tried to launch a command as another user through "su -":

su - toto -m -c "/srv/tomcat/toto/bin/startup.sh"
-su: /root/.bash_profile: Permission denied
Using CATALINA_BASE:   /srv/tomcat/toto
Using CATALINA_HOME:   /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME:        /srv/java
Using CLASSPATH:       /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar
Tomcat started.

Although the command worked and was successfully executed, I was wondering about the Permission denied error on /root/.bash_profile. To fully (or even partly) understand how bash handles different types of shells, you should take a look at "man bash" and grep for INVOCATION. There it is written black on white (or white on black in a standard console) - unfortunately not very clear though. Luckily I found the following graphic a while ago which explains which type of shell is loading which files (the printed version of it is hanging behind me in my office by the way).

Bash Login loaded files

Source: http://www.solipsys.co.uk/new/BashInitialisationFiles.html

Because the shell environment of root is kept by using the -m parameter (preserve environment) and because of the "su -" which is interpreted as a login shell, the shell environment tries to read first /etc/profile and then
/root/.bash_profile. But because toto user cannot access /root/.bash_profile there comes this permission denied error.

If the /root folder would allow permission to be read by the toto user, the same command works fine without any permission denied error:

chmod 755 /root
su - toto -m -c "/srv/tomcat/toto/bin/shutdown.sh"
Using CATALINA_BASE:   /srv/tomcat/toto
Using CATALINA_HOME:   /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME:        /srv/java
Using CLASSPATH:       /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar

But granting access to /root is bad. There are other alternatives.
su can also be launched without a login shell (without the dash after su):

su toto -m -c "/srv/tomcat/toto/bin/startup.sh"
Using CATALINA_BASE:   /srv/tomcat/toto
Using CATALINA_HOME:   /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME:        /srv/java
Using CLASSPATH:       /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar
Tomcat started.

When the same command is launched without the login shell, it just reads the $BASH_ENV from the current session (from root), without trying to load any other files (from /root). Hence no permission denied error.


Add a comment

Show form to leave a comment

Comments (newest first)

Rafael Horacio from wrote on Jul 24th, 2020:

Thanks a lot, I had a similar error here


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Observability   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder