[SOLVED] Limit sudo access

idny · 02-17-2011, 04:09 AM

Hello,

I have been reading guides for a while now and so far have not found an exact solution to my problem.

I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.

In the sudoers file

Code:

User_Alias     Patrol=dave,john

root ALL=(ALL) ALL
Patrol ALL=(patrol) NOPSSWD: ALL

Dave is prompted for a password when typing

Code:

[dave@server]$ su - patrol
Password:

How can i resolve this?
Thanks in advance.

MensaWater · 02-17-2011, 07:43 AM

When you type "su - patrol" you're not using sudo. He must type "sudo su - patrol" instead.

jschiwal · 02-17-2011, 07:54 AM

You can use "sudo -i -u patrol <command>".
The -i "interactive" option is the same as su's -l or - "login" option.

chrisretusn · 02-17-2011, 08:26 AM

Quote:

Originally Posted by idny

I want a linux user (dave) to be able to switch to another account (patrol) without a password prompt, but dave must still be denied access to root. Patrol must also be denied root access.

You can create or add the below to /etc/suauth that will do what you want.

Code:

# /etc/suauth 
#
patrol:dave:NOPASS

This will allow dave to su in to the account patrol without a password.

Reuti · 02-17-2011, 08:32 AM

When I get the man page of sudoers right:

Code:

NAME ::= [A-Z]([A-Z][0-9]_)*

the aliases' names must all be uppercase.

NB: You missed an A in NOPSSWD?

idny · 02-18-2011, 07:30 AM

thanks for all your replies.

I managed to solve it in the end.
I found out that when you type su -
it calls su.original.

I have set up an alias

Code:

alias patrol=sudo -u patrol -i

and added this to the sudoers file.

Code:

PATROL ALL=NOPASSWD: !/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - patrol, /bin/su - patrol, /bin/su.original - patrol
PATROL ALL=(patrol) NOPASSWD: ALL

this has solved the problem.
Users defined in the PATROL user alias can now su - patrol without a password, but are denied ROOT access.
Patrol is also denied root access.

Hope this helps someone else

chrisretusn · 02-18-2011, 09:49 PM

@idny, a very nice solution using sudoers!