Possible Duplicate:
How can I allow one user to su to another without allowing root access?
We have a user account that our DBAs use (oracle). I do not want to set a password on this account and want to only allow users in the dba group to su - oracle.
How can I accomplish this?
I was thinking of just giving them sudo access to the su - oracle command. However, I wouldn't be surprised if there was a more polished/elegant/secure way.
If you are going to give them full access to the user account anyway, why not just let them do whatever they want via sudo directly?
%dba ALL = (oracle) ALL
This line in sudoers will allow anyone in the dba user group to run any command as the oracle user, including getting a shell with either sudo -su oracle or sudo -iu oracle for a login shell.
Alternatively, if you don't want them to have access to everything, you can substitute the last ALL with a list of commands to limit them to, eg.
%dba ALL = (oracle) /bin/chmod, /usr/local/bin/oracleclient localhost
Yes, there is. Use
sudo -u oracle -i
and add permissions for nopasswd default shell like:
%dba ALL=(oracle)NOPASSWD: /bin/bash
