LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-17-2011, 05:09 AM   #1
idny
LQ Newbie
 
Registered: Jan 2011
Posts: 20

Rep: Reputation: 1
Limit sudo access - No Password Prompt


Hello,

I have been reading guides for a while now and so far have not found an exact solution to my problem.

I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.

In the sudoers file

Code:
User_Alias     Patrol=dave,john

root ALL=(ALL) ALL
Patrol ALL=(patrol) NOPSSWD: ALL
Dave is prompted for a password when typing
Code:
[dave@server]$ su - patrol
Password:
How can i resolve this?
Thanks in advance.
 
Old 02-17-2011, 08:43 AM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Rep: Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791
When you type "su - patrol" you're not using sudo. He must type "sudo su - patrol" instead.
 
Old 02-17-2011, 08:54 AM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
You can use "sudo -i -u patrol <command>".
The -i "interactive" option is the same as su's -l or - "login" option.

Last edited by jschiwal; 02-17-2011 at 08:58 AM.
 
Old 02-17-2011, 09:26 AM   #4
chrisretusn
Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware
Posts: 508

Rep: Reputation: Disabled
Quote:
Originally Posted by idny View Post
I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.
You can create or add the below to /etc/suauth that will do what you want.

Code:
# /etc/suauth 
#
patrol:dave:NOPASS
This will allow dave to su in to the account patrol without a password.
 
1 members found this post helpful.
Old 02-17-2011, 09:32 AM   #5
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
When I get the man page of sudoers right:
Code:
NAME ::= [A-Z]([A-Z][0-9]_)*
the aliases' names must all be uppercase.

NB: You missed an A in NOPSSWD?
 
Old 02-18-2011, 08:30 AM   #6
idny
LQ Newbie
 
Registered: Jan 2011
Posts: 20

Original Poster
Rep: Reputation: 1
thanks for all your replies.

I managed to solve it in the end.
I found out that when you type su -
it calls su.original.

I have set up an alias
Code:
alias patrol=sudo -u patrol -i
and added this to the sudoers file.
Code:
PATROL ALL=NOPASSWD: !/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - patrol, /bin/su - patrol, /bin/su.original - patrol
PATROL ALL=(patrol) NOPASSWD: ALL
this has solved the problem.
Users defined in the PATROL user alias can now su - patrol without a password, but are denied ROOT access.
Patrol is also denied root access.

Hope this helps someone else
 
1 members found this post helpful.
Old 02-18-2011, 10:49 PM   #7
chrisretusn
Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware
Posts: 508

Rep: Reputation: Disabled
@idny, a very nice solution using sudoers!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'soft' pankajd Linux - Software 3 12-28-2010 10:59 PM
password prompt twice -> can't use have ftp access to this machine abdoullah Gentoo 2 10-03-2009 11:56 PM
Shell script sudo without password prompt under Darwin? lhouk Other *NIX 3 02-08-2008 12:16 PM
sudo without password prompt? ctroyp Linux - Newbie 7 09-12-2007 04:55 PM
KDE prompt for root access won't recognize password portamenteff Linux - Newbie 2 11-28-2006 12:51 PM


All times are GMT -5. The time now is 09:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration