Allow login as any user from group by sudoers

Posted on

Allow login as any user from group by sudoers – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Allow login as any user from group by sudoers was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, permissions, sudo, user-permissions, .

I’d like to add a /etc/sudoers rule to allow any user from group admin to login as a user from group users.


In group admin I have: alan and smith. In group users: anna, mike. And other users: stephen, nick.

alan and smith can do this:

sudo su - anna
sudo su - mike

But the can’t do this:

sudo su -
sudo su - root
sudo su - stephen

I vainly tried something like this:

%admin ALL=(ALL) NOPASSWD:/bin/su - %users

Any ideas?

P.S. it would be ideal if complied with one more dependency:

alan is also in users group and smith can’t do:

sudo su - alan

because alan is in admin group.

I don’t think you actually want or need su for your use case. What you seem to want, is for a certain group of users to be able to arbitrarily assume the identity of any user in a specific other group. You just need sudoers for that:

%admin ALL=(%users) NOPASSWD:ALL

The above sudoers rule means all users in the admin group can run any command as any user in the users group via sudo -u <user> <command>.

If you wanted to you could limit the commands the admins users could run as another user you replace ALL at the end with something more specific. See man sudoers for more on that.

To get a ~login shell for the given users group user, instead of using su, an admin could do:

sudo -u anna /bin/bash -il

A note on su (man su):

The su command is used to become another user during a login session.

su always prompts for the password of the user you are logging as, except for the case where the invoking user is root. sudo su - [user] does not prompt for a password because you elevate to root (via sudo), then exec su - [user] to start a new login session. But if you don’t want to elevate the sudoer to root, the sudoer needs to know the password of the user they want to su as, defeating the purpose of using sudo in the first place.

You just can’t use the “%users” because that would mean a linux group, not a sudoers variable.

You can do something like the following:

Cmnd_Alias      SWITCH_USERS = /bin/su - anna, /bin/su - mike

If you are creating two groups admin/users in the system only for this matter, you may want to create sudoers users Aliases (so you only have to keep track of sudoers files) In my personal opinion, is best to use sudoers options for sudo, and system groups for files/dirs related permissions (but this is my opinion, not a must)

Sudoers manual is a little bit difficult to understand in some topics. Here you have a good guide (with examples) that may help you editing your sudoers file: how to edit the sudoers file

I think the most useful you have to keep in mind for what you are trying to accomplish is: if you add a complete command in sudoers (with all options and parameter, it should be run that way, so, “/bin/su -” won’t work if you specify a username after the command (see my example) You can negate with NOEXEC: a command you want to disallow by any mean in sudo, and always use “visudo” to edit /etc/sudoers, that checks the syntax.

Leave a Reply

Your email address will not be published. Required fields are marked *