Home / server / Questions / 17814
Accepted
gharper
Asked: 2009-06-03 07:13:43 +0800 CST

How can I allow one user to su to another without allowing root access?

  • 772

I'd like to allow certain users to su to another user account without having to know that account's password, but not allow access to any other user account (i.e. root).
For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

I imagine this could be done with the /etc/sudoers file - is it possible? If so, how?

linux security sudo

4 Answers

  1. Best Answer

    Yes, this is possible.

    In /etc/sudoers the item immediately following the equals is the user that the command will be allowed to execute as.

    tom  ALL=(oracle) /bin/chown tom *

    The user (tom) can type sudo -u oracle /bin/chown tom /home/oracle/oraclefile

    • 57

  2. Add to your /etc/sudoers something like

    tom ALL=(oracle) ALL

    Then user tom should be able to use sudo to run things as user oracle with the -u option, without letting tom

    I.e. getting a shell as user oracle (well, given that your sudo is new enough to have the -i option).

    sudo -u oracle -i
    • 48

  3. To ONLY provide the capabilities in the question, add the following to /etc/sudoers:

    tom            ALL=(oracle)    /bin/bash

    Then tom can:

    sudo -u oracle bash -i
    • 10

  4. For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

    I needed to do this to a system recently and had a hard time finding my notes on the alternate setup i used years ago that also allowed the syntax su <user>. In my situation I needed to allow multiple users to su to a specific user.

    Create a group using addgroup <groupName> that other users will be able to su to without a password. Then add that group to each user that you want to be able to su to that user without a password: usermod -a -G <groupName> <userName> (or usermod -a -G oracle tom). The group changes might not take affect until next login.

    Note: In your case, you already have the group because oracle group would have been created when you made the oracle user with adduser oracle.

    Now edit /etc/pam.d/su and under the following:

    # This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

    ..add auth rule lines so the section looks like this:

    # This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
auth       [success=ignore default=1] pam_succeed_if.so user = <groupName>
auth       sufficient   pam_succeed_if.so use_uid user ingroup <groupName>

    Replace <groupName> with oracle in this case. This will allow any user that is part of the <groupName> to su <groupName>

    Now tom can su oracle and if you need to give other users the same access, add them to oracle group.

    similar question here

    • 4