Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This line lets user "x" run ALL commands on ALL hosts as Runas_Alias "y". While the OP remains responsible for questioning the quality and effect of any "advice" given that is NOT what the OP is asking for. Even worse this deliberately weakens security posture without you warning him. I strongly suggest you edit your post to reflect this. If you don't or won't then please keep from posting "advice".
This line lets user "x" run ALL commands on ALL hosts as Runas_Alias "y". While the OP remains responsible for questioning the quality and effect of any "advice" given that is NOT what the OP is asking for. Even worse this deliberately weakens security posture without you warning him. I strongly suggest you edit your post to reflect this. If you don't or won't then please keep from posting "advice".
I don't see how it weakens security. OP asked for 'su -y' for x.
After 'su -y' x can do whatever y can do.
troop suggested solution that allows run any command as y. Why it's weaker security ?
It seems to me that in both cases x can do anything y can.
The fact that allowing user x to 'su' to y undermines the purpose of Sudo should be mentioned, yes, and while you're right to conclude that after 'su' x can do whatever y can do but the OP asked for a specific command which is in line with the purpose of Sudo: to allow granular control over what specific commands a user may run.
The fact that allowing user x to 'su' to y undermines the purpose of Sudo should be mentioned, yes, and while you're right to conclude that after 'su' x can do whatever y can do but the OP asked for a specific command which is in line with the purpose of Sudo: to allow granular control over what specific commands a user may run.
Quote:
I want user x to sudo into y as
sudo su - y
It doesn't look for me like OP wants granular control.
And I don't think it's undermines the purpose of Sudo:
after all ALL is built into sudo exactly for the cases OP asked about.
There is no security concerns as user "x" has no access to other servers .
Am sorry to say, it may be my fifth(or more) posting here regarding sudo. I don't know why am allergetic to "sudo" . I have a learn a lot in sudo.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.