70

I'd like to allow certain users to su to another user account without having to know that account's password, but not allow access to any other user account (i.e. root).
For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

I imagine this could be done with the /etc/sudoers file - is it possible? If so, how?

gharper
  • 5,425
  • 4
  • 29
  • 35

4 Answers4

59

Yes, this is possible.

In /etc/sudoers the item immediately following the equals is the user that the command will be allowed to execute as.

tom  ALL=(oracle) /bin/chown tom *

The user (tom) can type sudo -u oracle /bin/chown tom /home/oracle/oraclefile

Brent
  • 22,857
  • 19
  • 70
  • 102
  • 6
    This would allow Tom to run commands as oracle, but not to actually become the oracle user – gharper Jun 02 '09 at 15:20
  • 13
    What about sudo -u oracle su -? That would give him a shell opened as the oracle user. Is that what you want? – Brent Jun 02 '09 at 15:23
  • +1 for that last comment, Brent. That would be my answer. – Annika Backstrom Jun 02 '09 at 15:26
  • Yup that'll work! – gharper Jun 02 '09 at 15:30
  • 4
    Something like the following would work: sudo -u oracle -s or sudo -u oracle -i (-s for shell, -i for login - does a login shell). Unfortunately I don't know offhand what you would use in /etc/sudoers to limit the user, but given that you're allowing them shell access, you probably just want to do tom ALL=(oracle) ALL as someone else mentioned. If they can run a shell, you probably don't care about restriction the commands they can run. – Mark Jun 03 '09 at 01:59
  • 2
    Ideally, would you not want Tom to run commands as the oracle user, instead of becoming the oracle user? The distinction is slight, but it provides a great audit log without having to futz with using an audit shell. – Scott Pack Jun 16 '09 at 21:05
50

Add to your /etc/sudoers something like

tom ALL=(oracle) ALL

Then user tom should be able to use sudo to run things as user oracle with the -u option, without letting tom

I.e. getting a shell as user oracle (well, given that your sudo is new enough to have the -i option).

sudo -u oracle -i
Kjetil Joergensen
  • 5,994
  • 1
  • 27
  • 20
  • 8
    I had to use syntax `tom ALL=(oracle)NOPASSWD:ALL` to make sudo not to ask password – snowindy Dec 04 '15 at 05:45
  • snowindy - It is asking tom for his own password to confirm the sudo not for the oracle password. NOPASSWD makes it easier for scripts, but less secure to another user who happens to be running as tom. – JohnDavid Nov 07 '20 at 17:52
10

To ONLY provide the capabilities in the question, add the following to /etc/sudoers:

tom            ALL=(oracle)    /bin/bash

Then tom can:

sudo -u oracle bash -i
karimofthecrop
  • 111
  • 1
  • 2
4

For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

I needed to do this to a system recently and had a hard time finding my notes on the alternate setup i used years ago that also allowed the syntax su <user>. In my situation I needed to allow multiple users to su to a specific user.

Create a group using addgroup <groupName> that other users will be able to su to without a password. Then add that group to each user that you want to be able to su to that user without a password: usermod -a -G <groupName> <userName> (or usermod -a -G oracle tom). The group changes might not take affect until next login.

Note: In your case, you already have the group because oracle group would have been created when you made the oracle user with adduser oracle.

Now edit /etc/pam.d/su and under the following:

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

..add auth rule lines so the section looks like this:

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
auth       [success=ignore default=1] pam_succeed_if.so user = <groupName>
auth       sufficient   pam_succeed_if.so use_uid user ingroup <groupName>

Replace <groupName> with oracle in this case. This will allow any user that is part of the <groupName> to su <groupName>

Now tom can su oracle and if you need to give other users the same access, add them to oracle group.

similar question here

jtlindsey
  • 323
  • 1
  • 6
  • 16