Permission denied error on /root/.bash_profile when running su command

Written by - 0 comments

Published on November 25th 2014 - Listed in Linux Shell


On an Ubuntu 14 server I recently saw a strange error on stdout when I tried to launch a command as another user through "su -":

su - toto -m -c "/srv/tomcat/toto/bin/startup.sh"
-su: /root/.bash_profile: Permission denied
Using CATALINA_BASE:   /srv/tomcat/toto
Using CATALINA_HOME:   /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME:        /srv/java
Using CLASSPATH:       /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar
Tomcat started.

Although the command worked and was successfully executed, I was wondering about the Permission denied error on /root/.bash_profile. To fully (or even partly) understand how bash handles different types of shells, you should take a look at "man bash" and grep for INVOCATION. There it is written black on white (or white on black in a standard console) - unfortunately not very clear though. Luckily I found the following graphic a while ago which explains which type of shell is loading which files (the printed version of it is hanging behind me in my office by the way).

Bash Login loaded files

Source: http://www.solipsys.co.uk/new/BashInitialisationFiles.html

Because the shell environment of root is kept by using the -m parameter (preserve environment) and because of the "su -" which is interpreted as a login shell, the shell environment tries to read first /etc/profile and then
/root/.bash_profile. But because toto user cannot access /root/.bash_profile there comes this permission denied error.

If the /root folder would allow permission to be read by the toto user, the same command works fine without any permission denied error:

chmod 755 /root
su - toto -m -c "/srv/tomcat/toto/bin/shutdown.sh"
Using CATALINA_BASE:   /srv/tomcat/toto
Using CATALINA_HOME:   /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME:        /srv/java
Using CLASSPATH:       /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar

But granting access to /root is bad. There are other alternatives.
su can also be launched without a login shell (without the dash after su):

su toto -m -c "/srv/tomcat/toto/bin/startup.sh"
Using CATALINA_BASE:   /srv/tomcat/toto
Using CATALINA_HOME:   /srv/tomcat
Using CATALINA_TMPDIR: /srv/tomcat/toto/temp
Using JRE_HOME:        /srv/java
Using CLASSPATH:       /srv/tomcat/bin/bootstrap.jar:/srv/tomcat/bin/tomcat-juli.jar
Tomcat started.

When the same command is launched without the login shell, it just reads the $BASH_ENV from the current session (from root), without trying to load any other files (from /root). Hence no permission denied error.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.