RHCSA (030): Season 2 - Scenario 5 of 25: Context Switch

Episode 30 Executive Summary

The Context Switch lab simulates a deceptive automation failure where a critical deployment script refuses to run despite having seemingly correct file permissions. This specific scenario frequently confuses RHCSA candidates because the error isn't about access to the file, but rather the environment in which it executes. You are stepping into a server where a junior administrator's attempt to run a service account's deployment tool is failing silently due to missing variables. My goal is to provide you with a realistic troubleshooting scenario that forces you to look beyond standard permission errors and analyze the invisible shell environment that dictates how applications behave.

The core of this challenge forces you to master the distinction between a standard shell switch and a full login shell. I intentionally configured the target service account to rely on variables defined in .bash_profile, a file that is ignored by default during a standard user switch. You cannot simply execute the script with elevated privileges; you must understand how to invoke a login shell that properly sources the target user's configuration files. This sequence is designed to harden your understanding of Linux session initialization and the su command's hyphen flag, ensuring you can reliably manage service accounts without creating "it works on my machine" discrepancies.

We finish with a verification task that validates your ability to persist and check environment variables across user boundaries. The exam and real-world operations frequently require you to assume the identity of a service user to debug application behavior without resetting their password or enabling direct root login. You will verify that the specific deployment variable is correctly loaded and that the script outputs the expected production status before executing a clean exit. By the end of this episode, you will have transformed a failing operational procedure into a reliable workflow, proving your ability to navigate complex user contexts with the precision required of a Red Hat system administrator.

Keywords: RHCSA, Red Hat Enterprise Linux, RHEL 10, su command, login shell, non-login shell, environment variables, bash_profile, sudo configuration, user context, automation troubleshooting, service accounts, script execution, Linux permissions, system administration, EX200 training

EPISODE 030: Context Switch
- Season: 2 | Difficulty: Medium
- Objectives: Primary 1.5 (Switch Users), 1.1 (Shell); Secondary 9.4 (Sudo)
- Lab Focus: Login Shells, Environment Variables, SU, Sudoers

---

### 1. SCENARIO BRIEF (THE PROBLEM)
A deployment script located in a service account's home directory is failing to run. The script relies on a specific environment variable set in the user's profile. Your junior administrator is attempting to execute it by switching users, but the variable is never found. You must demonstrate the correct method to switch user contexts to ensure the full login environment is loaded.

---

### 2. TASK ANALYSIS (THE "WHY")
- 1.5 (Switch Users): Understanding the difference between `su` (non-login) and `su -` (login) is critical for environment consistency.
- 1.1 (Shell): Identifying how `.bash_profile` and `.bashrc` are sourced depending on the invocation method.
- 9.4 (Sudo): Verifying privileges to switch identities without passwords.

---

### 3. SOLUTION STEPS

#### Step 1: Environment Setup (Root Only)
# Create the service account and the junior admin
useradd svc-deploy
useradd jr-admin
echo "redhat" | passwd --stdin jr-admin

# Configure the environment variable for the service account
echo 'export DEPLOY_TARGET="PRODUCTION"' >> /home/svc-deploy/.bash_profile
echo 'echo "Deploying to $DEPLOY_TARGET"' > /home/svc-deploy/deploy.sh
chmod +x /home/svc-deploy/deploy.sh

# Grant jr-admin permission to switch to svc-deploy (simulating sudo access)
echo "jr-admin ALL=(ALL) NOPASSWD: /usr/bin/su" > /etc/sudoers.d/jr-admin

#### Step 2: Core Implementation (Execute as jr-admin)
# Switch to jr-admin first
su - jr-admin

# ATTEMPT 1: The Failure (Non-login shell)
# This fails because the profile is not sourced
sudo su svc-deploy -c "/home/svc-deploy/deploy.sh"

# ATTEMPT 2: The Fix (Login shell)
# The hyphen (-) forces a login shell, reading .bash_profile
sudo su - svc-deploy -c "/home/svc-deploy/deploy.sh"

# ALTERNATIVE: Interactive Login
# Enter the shell fully to verify the variable exists
sudo su - svc-deploy
env | grep DEPLOY_TARGET
exit

# Technical Breakdown: The '-' flag in 'su -' clears the environment and loads the target user's configuration files (like .bash_profile), ensuring variables are set.
# Pro-Tip: When scripting cron jobs or automation, always use full paths or ensure the environment is explicitly sourced.

#### Step 3: Verification (The "Proof of Work")
# Execute the script successfully as the target user
sudo su - svc-deploy -c "/home/svc-deploy/deploy.sh"
- EXPECTED: Deploying to PRODUCTION

---

### 4. COMPREHENSIVE CLEANUP (ZERO-TRACE)
userdel -r svc-deploy
userdel -r jr-admin
rm -f /etc/sudoers.d/jr-admin

You should also read:

RHCSA Series (005): Providing User Interfaces

Mind Map RHCSA_Series_5_Providing_User_Interfaces_Mind_Map │ ├── Alphabetical_List_of_Abbreviations │ ├── CLI = Command-Line Interface │ ├── CSCI = Computer Science │ ├── CSH = C…

RHCSA Series (004): Managing Memory

Mind Map RHCSA_Series_4_Managing_Memory_Mind_Map │ ├── Alphabetical_List_of_Abbreviations │ ├── CPU = Central Processing Unit │ ├── cron = Chron Table (scheduler) │ ├── dstat…