Home

startas

Startas is a command‑line utility found on some Unix‑like operating systems that allows a user to launch a program under the identity or privilege level of another user or group. It was originally created to provide a safer alternative to the traditional “su” command when only a limited set of users or groups should be granted the ability to start privileged processes. The tool can be invoked from a shell prompt, a script, or an automated system configuration.

The basic syntax of startas is: startas [options] –u user –g group command [arguments]. The –u and

Startas is designed to mitigate privilege escalation risks by enforcing an explicit, reviewable set of permissions.

Installation of startas typically involves compiling from source or installing a package from a distribution’s repository.

–g
options
specify
the
target
user
and
group
under
which
the
command
will
run.
If
–u
is
omitted
the
root
user
is
assumed.
Additional
options
include
–t
for
a
timeout,
–p
to
specify
a
specific
set
of
privileges,
and
–l
to
log
the
command
execution
to
a
syslog
facility.
Unlike
sudo,
which
uses
a
dynamic
policy
file
(/etc/sudoers),
startas
operates
based
on
a
configuration
file
located
in
/etc/startas.conf,
where
administrators
can
define
allowed
user‑to‑user
mappings
and
capabilities
on
a
per‑command
basis.
It
checks
the
validity
of
the
supplied
user
credentials
against
the
local
password
database
and
verifies
that
the
launching
user
is
authorized
to
start
the
requested
program
on
behalf
of
the
target
user.
Because
it
does
not
require
storing
passwords
locally,
the
security
model
is
considered
more
robust
than
simple
sudo
privilege
escalation.
The
default
configuration
file
includes
examples
for
common
services
such
as
database
servers,
web
servers,
and
user‑space
daemons.
Many
system
administrators
incorporate
startas
into
deployment
scripts,
cron
jobs,
or
container
entrypoints
to
ensure
that
services
run
with
the
least
privilege
necessary.