Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

sudo su [-] <list of users>

Posted on 2010-09-04
4
Medium Priority
?
790 Views
Last Modified: 2013-12-16
I want a good syntax for allowing one group of users to be able to access a list of functional accounts using sudo.  I wrote something like

User_Alias ADMIN = a, b, c
ADMIN  ALL = (ALL) /bin/su - functional1, /bin/su - functional2, ...

I want something more elegant with '-' after su to be optional
0
Comment
Question by:farzanj
  • 3
4 Comments
 
LVL 6

Accepted Solution

by:
apresence earned 500 total points
ID: 33605598
Hate to break the bad news, but I don't believe it is possible to do this because the sudoers file uses glob wildcards, not regular expressions.  Globs allow you to do things with allowing one or more of a certain character, etc, but do not allow you to provide alternate strings as options.  Unfortunately, if it supported regular expressions, then this would be trivial to do.

More info here:
http://www.sudo.ws/sudo/sudoers.man.html
http://jamesthornton.com/linux/man/glob.7.html

Alternatively, you could write a script that expands a list of users into the required syntax and updates the sudoers file
0
 
LVL 6

Assisted Solution

by:apresence
apresence earned 500 total points
ID: 33605619
Another (possibly more elegant) way to do this is allow the users to run a script using sudo.  Save the attached code into /bin/su-wrap and chmod it to 700.

Your sudoers file then becomes just this:
User_Alias ADMIN = a, b, c
ADMIN ALL = (ALL) /bin/su-wrap

In my case, I'm using foo1 and foo2 as "ADMIN" users, and allowing either of them to switch to the other.  You can change the 2nd lline of the su-wrap script to list whatever users you want your admins to be able to su over to.  Using your example, you'd put:
ALLOWED_USERS="functional1 functional2".

Testing:
foo1@npx1600734:~ $ sudo su-wrap - foo2
Password:
Executing: /bin/su - foo2
foo2@npx1600734:~ $ exit
foo1@npx1600734:~ $ sudo su-wrap foo2
Executing: /bin/su foo2
foo2@npx1600734:~ $
#!/bin/sh
ALLOWED_USERS="foo1 foo2"
USING_ENV=0
if [ "$1" = "-" ]; then
  USING_ENV=1
  shift
fi
if [ $# -ne 1 ]; then
  echo "Usage: su-wrap [-] username" >&2
  exit 1
fi
for i in $ALLOWED_USERS; do
  if [ $1 = $i ]; then
    if [ $USING_ENV -eq 1 ]; then
      CMD="/bin/su - $i"
    else
      CMD="/bin/su $i"
    fi
    echo "Executing: $CMD"
    $CMD
    break
  fi
done

Open in new window

0
 
LVL 6

Assisted Solution

by:apresence
apresence earned 500 total points
ID: 33605623
Two follow-up notes:
1. Make sure the /bin/su-wrap script is owned by root:root.
2. Remove the trailing "." from this line:
ALLOWED_USERS="functional1 functional2".
so it becomes:
ALLOWED_USERS="functional1 functional2"

Hope it works!
0
 
LVL 31

Author Closing Comment

by:farzanj
ID: 33605994
I think you are right.  Kindly explain one more time why something like

/bin/su [ -] user   (notice a space)
OR
/bin/su ? user

doesn't work.  In the first one I tried to give an option between a space and -.  In the second, I tried to use any character, hoping it would allow either a space or a hyphen.  May be I am thinking too much like regular expressions.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month8 days, 7 hours left to enroll

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question