diff --git a/hawk/app/lib/util.rb b/hawk/app/lib/util.rb
index 17ff67439..5d5903ae9 100644
--- a/hawk/app/lib/util.rb
+++ b/hawk/app/lib/util.rb
@@ -19,7 +19,7 @@ def numeric?(n)
   # DON'T USE THIS FUNCTION DIRECTLY - it's subject to deadlocks e.g.:
   # http://coldattic.info/shvedsky/pro/blogs/a-foo-walks-into-a-bar/posts/63
   # Rather you should prefer capture3.
-  def popen3(user, pass, *cmd)
+  def popen3(user, *cmd)
     raise SecurityError, "Util::popen3 called with < 2 args" if cmd.length < 2
     pw = IO::pipe   # pipe[0] for read, pipe[1] for write
     pr = IO::pipe
@@ -39,13 +39,12 @@ def popen3(user, pass, *cmd)
       STDERR.reopen(pe[1])
       pe[1].close
 
-      if user == nil or user=="" or user == "hacluster" or user == "root"
+      if user.to_s.strip.empty? or user == "hacluster" or user == "root"
         # RORSCAN_INL: cmd always has > 1 elem, so safe from shell injection
         exec(*cmd)
       else
-        #TODO: command = ['/usr/bin/su', user, '--shell=/bin/sh', '-c', "/usr/sbin/crm -f #{tmpf.path}", stdin_data: pass]
-        command = "hawk_invoke.sh #{user} #{pass} '#{cmd.join(" ")}' | tail -n +3"
-        exec(command)
+        command = ['su', '-', user, 'sh', '-c', "#{cmd.join(" ")}"]
+        exec(*command)
       end
     }
     wait_thr = Process.detach(pid)
@@ -79,7 +78,7 @@ def capture3(*cmd)
     end
     Rails.logger.debug "Executing `#{cmd.join(' ').inspect}` through `capture3`"
     stdin_data = opts.delete(:stdin_data) || ''
-    Util.popen3(nil, nil, *cmd) {|i, o, e, t|
+    Util.popen3(nil, *cmd) {|i, o, e, t|
       out_reader = Thread.new { o.read }
       err_reader = Thread.new { e.read }
       i.write stdin_data
@@ -97,9 +96,13 @@ def run_as(user, pass, *cmd)
     end
     Rails.logger.debug "Executing `#{cmd.join(' ').inspect}` as `#{user}` through `run_as`"
     stdin_data = opts.delete(:stdin_data) || ''
-    Util.popen3(user, pass, *cmd) {|i, o, e, t|
+    Util.popen3(user, *cmd) {|i, o, e, t|
       out_reader = Thread.new { o.read }
       err_reader = Thread.new { e.read }
+      if not user.to_s.strip.empty? and user != "hacluster" and user != "root"
+        i.write pass
+        i.write "\n"
+      end
       i.write stdin_data
       i.close
       [out_reader.value, err_reader.value, t.value]
diff --git a/tools/hawk_invoke.sh b/tools/hawk_invoke.sh
deleted file mode 100755
index 1d5600689..000000000
--- a/tools/hawk_invoke.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout -1
-set user [lindex $argv 0];
-set pass [lindex $argv 1];
-set cmd [lindex $argv 2];
-
-
-#spawn su - $user -c "$cmd" | tail -n +3
-spawn su - $user -c "$cmd"
-
-expect "assword:"
-
-send -- "$pass\r"
-
-expect eof