Allow login as any user from group by sudoers – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Allow login as any user from group by sudoers was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, permissions, sudo, user-permissions, .
I’d like to add a
/etc/sudoers rule to allow any user from group
admin to login as a user from group
admin I have:
smith. In group
mike. And other users:
smith can do this:
sudo su - anna sudo su - mike
But the can’t do this:
sudo su - sudo su - root sudo su - stephen
I vainly tried something like this:
%admin ALL=(ALL) NOPASSWD:/bin/su - %users
P.S. it would be ideal if complied with one more dependency:
alan is also in
users group and
smith can’t do:
sudo su - alan
alan is in
I don’t think you actually want or need
su for your use case. What you seem to want, is for a certain group of users to be able to arbitrarily assume the identity of any user in a specific other group. You just need sudoers for that:
%admin ALL=(%users) NOPASSWD:ALL
The above sudoers rule means all users in the
admin group can run any command as any user in the
users group via
sudo -u <user> <command>.
If you wanted to you could limit the commands the admins users could run as another user you replace
ALL at the end with something more specific. See
man sudoers for more on that.
To get a ~login shell for the given
users group user, instead of using
su, an admin could do:
sudo -u anna /bin/bash -il
A note on
su (man su):
The su command is used to become another user during a login session.
su always prompts for the password of the user you are logging as, except for the case where the invoking user is root.
sudo su - [user] does not prompt for a password because you elevate to root (via sudo), then exec
su - [user] to start a new login session. But if you don’t want to elevate the sudoer to root, the sudoer needs to know the password of the user they want to
su as, defeating the purpose of using
sudo in the first place.
You just can’t use the “%users” because that would mean a linux group, not a sudoers variable.
You can do something like the following:
Cmnd_Alias SWITCH_USERS = /bin/su - anna, /bin/su - mike %admin ALL=(ALL) NOPASSWD: SWITCH_USERS
If you are creating two groups admin/users in the system only for this matter, you may want to create sudoers users Aliases (so you only have to keep track of sudoers files) In my personal opinion, is best to use sudoers options for sudo, and system groups for files/dirs related permissions (but this is my opinion, not a must)
Sudoers manual is a little bit difficult to understand in some topics. Here you have a good guide (with examples) that may help you editing your sudoers file: how to edit the sudoers file
I think the most useful you have to keep in mind for what you are trying to accomplish is: if you add a complete command in sudoers (with all options and parameter, it should be run that way, so, “/bin/su -” won’t work if you specify a username after the command (see my example) You can negate with NOEXEC: a command you want to disallow by any mean in sudo, and always use “visudo” to edit /etc/sudoers, that checks the syntax.