Run a command as a different user

How to run a command as a different user in each shell

sudo -u alice -- ./cmd args

sudo -u alice -- ./cmd args

sudo -u alice -- ./cmd args

Start-Process -FilePath ./cmd.exe -Credential alice -ArgumentList 'args'

runas /user:alice "cmd /c long-task.exe args"

Equivalents listed for Bash, Zsh, Fish, PowerShell, cmd.exe.

Gotchas & notes

• **`sudo -u USER cmd` vs `su - USER -c cmd` — environment is the key difference**: `sudo -u alice cmd` runs `cmd` as alice with YOUR current environment (PATH, etc.) mostly intact (sudo strips a sanitised list). `su - alice -c cmd` runs `cmd` as alice with alice's FRESH login environment (`-` = simulated login: clear env, source alice's `.profile`, switch to her home dir). For consistent service-account testing, `su - alice -c cmd` reproduces what alice would actually see; for "I need to read a file alice owns and use my own env", `sudo -u alice cmd` is right. `sudo -i -u alice` is the closest sudo-equivalent of `su -` (login shell).
• **Sudo's environment scrubbing is INTENTIONAL but trips people up**: `sudo` strips PATH (replaces with a secure default from `/etc/sudoers` `secure_path`), LD_LIBRARY_PATH, IFS, and a long list of others — to prevent privilege escalation via environment manipulation. Symptoms: "my command works as me but `sudo cmd` says command not found" → the binary is in `/opt/foo/bin` which is in YOUR PATH but not in sudo's secure_path. Fixes: (1) full path (`sudo /opt/foo/bin/cmd`); (2) `sudo env "PATH=$PATH" cmd` (preserve current PATH); (3) edit `/etc/sudoers` `secure_path=` line (system-wide); (4) `sudo -E cmd` preserves ALL env (turns off scrubbing — security weaker). `--preserve-env=VAR1,VAR2` is the surgical option.
• **pwsh `Start-Process -Credential` requires a `PSCredential` object** — building it cleanly: `$cred = Get-Credential` (interactive prompt — best for one-off) or `$cred = New-Object PSCredential alice, (Read-Host "Password" -AsSecureString)` (script-friendly). For unattended use, store in Windows Credential Manager: `cmdkey /generic:myapp /user:alice /pass:PWD` then retrieve with `[PSCredential]::new("alice", (ConvertTo-SecureString (cmdkey /list:myapp …) ...))`. Pwsh has no `sudo -u` direct equivalent — `Start-Process -Credential` always spawns a new process (vs sudo which can exec in the current shell). Closest thing: `Invoke-Command -Credential $cred -ComputerName . -ScriptBlock { … }` runs over PowerShell Remoting on localhost.
• **Linux Polkit (pkexec) for desktop apps**: when a GUI command needs root, `pkexec ./cmd` shows the polkit GUI prompt (vs sudo which only works on a terminal). Useful for systemd unit ExecStartPre when the user needs to be prompted graphically. Polkit rules in `/etc/polkit-1/rules.d/` define which users can run what. For headless servers, sudo is the simpler answer; for desktop apps that occasionally need privilege, pkexec is the right one.
• **Service accounts and AUTH**: production "run as service-account" patterns avoid passwords entirely. Linux/cloud: IAM roles, K8s ServiceAccount tokens projected to a path (`/var/run/secrets/kubernetes.io/serviceaccount/token`), AWS IMDSv2 metadata, GCP Workload Identity. The application reads the token and authenticates upstream — never knows a password. Windows: Group Managed Service Accounts (gMSA), Kerberos tickets. The shell-level `sudo -u alice cmd` / `runas /user:alice` pattern is for INTERACTIVE / DEBUGGING use, not for production daemons. For production, treat "run as user X" as an authentication problem, not a process-spawning problem.

Related commands

• sudo
• su
• start-process