I want to authorize to common user to be administrators. So that those authorized users can create accounts, delete accounts, modify password, modify password rules. I know su could help, I wonder if there are any other methods that works? Thanks a lot!
SnapOverflow
sudo is the usual method (man sudo). It allows you to specify that a particular user can run a particular set of commands as a different particular user (usually, but not always, root), authenticates them with their own password to prove that they're them, and logs what they've done. Users and commands can be grouped for easy administration.
Note that there can be issues with commands that allow shell access, or editing arbitrary files; if, say, you allow someone to sudo vi as root, you're effectively trusting them to do anything as root (though there are mitigating measures that can be taken even against that). But such issues aside, it's an excellent system for delegating trust, and most sysadmins I know have been using it for years.
What are you exactly trying to accomplish? If in your case you are offering e-mail or web page service, and you would like to delegate the account management of those accounts to some other users, then it might be a good idea to separate those accounts from the actual system accounts. That way restricting the things the people can do at your server is much easier and clear. So, keep only the system accounts in /etc/passwd and separate everything else to MySQL/OpenLDAP/some other system.
Since I don't know what you are actually going to do, I'm not going to type a long tutorial, but here's the concept in a nutshell. I assume here you need to provide an email service and someone (or something, such as a Perl script) needs to modify the user accounts for that. Let's put the accounts to OpenLDAP.
1) Install the POP/IMAP server software of your choice. Most, if not all, of them do support PAM authentication.
2) Install pam_ldap (and most likely nss_ldap), so you can point the authentication phase to lookup the accounts from OpenLDAP.
4) Configure your mail software to use LDAP and/or modify /etc/pam.d/{pop3,imap} to use pam_ldap.
5) Create your initial OpenLDAP database with the needed LDAP schema. There are scripts bundled with the OpenLDAP that can do that for you.
6) Install the LDAP administration tools of your choice. Command-line tools, web-interfaces, GUIs and APIs are all available.
7) Give your trustees access to your LDAP administration interface.
8) Make sure that only e-mail service is available through LDAP authentication and not the other services, such as normal shell login.
9) Bang! Your trustees can administer your e-mail accounts but not easily harm your server.