How can I allow one user to su to another without allowing root access?

Question

I'd like to allow certain users to su to another user account without having to know that account's password, but not allow access to any other user account (i.e. root).
For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

I imagine this could be done with the /etc/sudoers file - is it possible? If so, how?

Brent · Accepted Answer · 2009-06-02T15:24:31.967

63

Yes, this is possible.

In /etc/sudoers the item immediately following the equals is the user that the command will be allowed to execute as.

tom  ALL=(oracle) /bin/chown tom *

The user (tom) can type sudo -u oracle /bin/chown tom /home/oracle/oraclefile

edited Jun 02 '09 at 15:24

answered Jun 02 '09 at 15:18

Brent

24,065

score 57 · Answer 2 · answered Jun 02 '09 at 15:26

Add to your /etc/sudoers something like

tom ALL=(oracle) ALL

Then user tom should be able to use sudo to run things as user oracle with the -u option, without letting tom

I.e. getting a shell as user oracle (well, given that your sudo is new enough to have the -i option).

sudo -u oracle -i

score 10 · Answer 3 · answered Dec 11 '14 at 22:44

10

To ONLY provide the capabilities in the question, add the following to /etc/sudoers:

tom            ALL=(oracle)    /bin/bash

Then tom can:

sudo -u oracle bash -i

answered Dec 11 '14 at 22:44

karimofthecrop

111

score 4 · Answer 4 · answered Jun 02 '19 at 11:27

For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

I needed to do this to a system recently and had a hard time finding my notes on the alternate setup i used years ago that also allowed the syntax su <user>. In my situation I needed to allow multiple users to su to a specific user.

Create a group using addgroup <groupName> that other users will be able to su to without a password. Then add that group to each user that you want to be able to su to that user without a password: usermod -a -G <groupName> <userName> (or usermod -a -G oracle tom). The group changes might not take affect until next login.

Note: In your case, you already have the group because oracle group would have been created when you made the oracle user with adduser oracle.

Now edit /etc/pam.d/su and under the following:

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

..add auth rule lines so the section looks like this:

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
auth       [success=ignore default=1] pam_succeed_if.so user = <groupName>
auth       sufficient   pam_succeed_if.so use_uid user ingroup <groupName>

Replace <groupName> with oracle in this case. This will allow any user that is part of the <groupName> to su <groupName>

Now tom can su oracle and if you need to give other users the same access, add them to oracle group.

How can I allow one user to su to another without allowing root access?

4 Answers4

Linked

Related