Su command - only one user
 

How to configure su command, that only one user can use it and without giving the password ?

Never heard su could be used without password. Tell us what you need to do. I'm sure there is another solution.

Sounds like you need to set up sudo. The file /etc/sudoers names the user who may use the sudo command, and it names the commands that user may use.

The named user can then run the commands listed for him in the sudoers file, without password.

Another way may be setting SUID bit. Which solution is best depends on what you need to do.

i will like to follow up this post that is why i am writing

nothing to do with networking, moved to Linux - Newbie. and yaawe_freak, please don't do that. just select "subscribe to this thread" nest time please.

also yes totally possible, but very very dumb and dangerous. http://www.phptr.com/articles/articl...seqNum=11&rl=1 if you really want a scenario as insecure and ill-advised as this, sudo would still be a better approach to take.

The sudoers file is well commented. There is an example allowing users to mount the cdrom device as root without a password.

For mounting and unmounting filesystems, use the "users" or "user" option. The mount command is an SUID program. However, it only allows a regular user to mount a filesystem if the "user" or "users" option is used.
For removable devices such as pendrives, use the label or uuid instead of the device.

For other commands in sudoers, be very explicit with the command allowed. Include the full pathname to the command.

You can configure sudo so that members of a certain group can use it after entering their own password. This way, you don't have to distribute the root password, but a third party who has physical access to a group members computer won't be able to run a command as root without knowing the users password.

You can also forbid certain commands such as "sudo /bin/bash" which would give the user unrestricted and unlogged root access. Also be careful with commands like vim which have shell escapes. Only allow rvim which starts vim in the restricted mode; it won't be possible to execute commands or suspend rvim.

This is dangerous because any user will be able to run the command as root. Not just members of a certain group.

Some commands are already SUID programs, and take measures to prevent abuse. For example, the passwd and mount commands. The passwd command is SUID to allow regular users to change their own passwords, which requires write access to /etc/passwd. An entry in /etc/fstab with the "user" or "users" option will allow the owner or any user respectively to mount the filesystem.* The /etc/fstab then becomes the controlling mechanism for the suid mount program. Only go the SUID route if the command is already suid for a good reason and limits what is done as root (or a system user). Programs like mount and password are written with safeguards built in. Setting the suid bit on a program not designed with it's own controlling mechanisms is a very bad idea and shouldn't be done.


For other commands, you can add entries in /etc/sudoers (via the visudo program) to allow group members or regular users to run certain commands as root. You need to be explicit with the command. For example, include the path to the command and any arguments you require. The CDROM mounting commented sample is one example.

If you want to allow some members, such as %admin members to use sudo on any command, but want everything logged, you can forbid certain commands, such as "sudo /bin/bash". Also, some commands have shell escapes. Forbid them but allow safer alternatives. For example using vim is essential for administrative work but you can allow rvim instead. Rvim doesn't allow executing commands or suspending.

Also, consider configuring sudo to use the users password instead of the root password. That way you don't need to distribute the root password, but are protected from a 3rd party gaining physical access to an open console. You need to enforce strong passwords then, so that an %admin member doesn't have an easy to guess password.
----
* For removable devices, I would recommend using the label or uuid instead of the device in the fstab line for that device. The "user" option combined with the "UUID=" entry will allow a normal user to mount the device regardless of which port was used, provided he is the owner of the filesystem (same uid) or for fat32 drives is listed in the "uid=UID/username" mount option.