LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Limit sudo access - No Password Prompt (http://www.linuxquestions.org/questions/linux-security-4/limit-sudo-access-no-password-prompt-863287/)

idny 02-17-2011 04:09 AM

Limit sudo access - No Password Prompt
 
Hello,

I have been reading guides for a while now and so far have not found an exact solution to my problem.

I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.

In the sudoers file

Code:

User_Alias    Patrol=dave,john

root ALL=(ALL) ALL
Patrol ALL=(patrol) NOPSSWD: ALL

Dave is prompted for a password when typing
Code:

[dave@server]$ su - patrol
Password:

How can i resolve this?
Thanks in advance.

MensaWater 02-17-2011 07:43 AM

When you type "su - patrol" you're not using sudo. He must type "sudo su - patrol" instead.

jschiwal 02-17-2011 07:54 AM

You can use "sudo -i -u patrol <command>".
The -i "interactive" option is the same as su's -l or - "login" option.

chrisretusn 02-17-2011 08:26 AM

Quote:

Originally Posted by idny (Post 4261322)
I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.

You can create or add the below to /etc/suauth that will do what you want.

Code:

# /etc/suauth
#
patrol:dave:NOPASS

This will allow dave to su in to the account patrol without a password.

Reuti 02-17-2011 08:32 AM

When I get the man page of sudoers right:
Code:

NAME ::= [A-Z]([A-Z][0-9]_)*
the aliases' names must all be uppercase.

NB: You missed an A in NOPSSWD?

idny 02-18-2011 07:30 AM

thanks for all your replies.

I managed to solve it in the end.
I found out that when you type su -
it calls su.original.

I have set up an alias
Code:

alias patrol=sudo -u patrol -i
and added this to the sudoers file.
Code:

PATROL ALL=NOPASSWD: !/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - patrol, /bin/su - patrol, /bin/su.original - patrol
PATROL ALL=(patrol) NOPASSWD: ALL

this has solved the problem.
Users defined in the PATROL user alias can now su - patrol without a password, but are denied ROOT access.
Patrol is also denied root access.

Hope this helps someone else :)

chrisretusn 02-18-2011 09:49 PM

@idny, a very nice solution using sudoers!


All times are GMT -5. The time now is 05:02 PM.