sudo su [-] <list of users>

Posted on 2010-09-04
Last Modified: 2013-12-16
I want a good syntax for allowing one group of users to be able to access a list of functional accounts using sudo.  I wrote something like

User_Alias ADMIN = a, b, c
ADMIN  ALL = (ALL) /bin/su - functional1, /bin/su - functional2, ...

I want something more elegant with '-' after su to be optional
Question by:farzanj
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

apresence earned 125 total points
ID: 33605598
Hate to break the bad news, but I don't believe it is possible to do this because the sudoers file uses glob wildcards, not regular expressions.  Globs allow you to do things with allowing one or more of a certain character, etc, but do not allow you to provide alternate strings as options.  Unfortunately, if it supported regular expressions, then this would be trivial to do.

More info here:

Alternatively, you could write a script that expands a list of users into the required syntax and updates the sudoers file

Assisted Solution

apresence earned 125 total points
ID: 33605619
Another (possibly more elegant) way to do this is allow the users to run a script using sudo.  Save the attached code into /bin/su-wrap and chmod it to 700.

Your sudoers file then becomes just this:
User_Alias ADMIN = a, b, c
ADMIN ALL = (ALL) /bin/su-wrap

In my case, I'm using foo1 and foo2 as "ADMIN" users, and allowing either of them to switch to the other.  You can change the 2nd lline of the su-wrap script to list whatever users you want your admins to be able to su over to.  Using your example, you'd put:
ALLOWED_USERS="functional1 functional2".

foo1@npx1600734:~ $ sudo su-wrap - foo2
Executing: /bin/su - foo2
foo2@npx1600734:~ $ exit
foo1@npx1600734:~ $ sudo su-wrap foo2
Executing: /bin/su foo2
foo2@npx1600734:~ $
ALLOWED_USERS="foo1 foo2"
if [ "$1" = "-" ]; then
if [ $# -ne 1 ]; then
  echo "Usage: su-wrap [-] username" >&2
  exit 1
for i in $ALLOWED_USERS; do
  if [ $1 = $i ]; then
    if [ $USING_ENV -eq 1 ]; then
      CMD="/bin/su - $i"
      CMD="/bin/su $i"
    echo "Executing: $CMD"

Open in new window


Assisted Solution

apresence earned 125 total points
ID: 33605623
Two follow-up notes:
1. Make sure the /bin/su-wrap script is owned by root:root.
2. Remove the trailing "." from this line:
ALLOWED_USERS="functional1 functional2".
so it becomes:
ALLOWED_USERS="functional1 functional2"

Hope it works!
LVL 31

Author Closing Comment

ID: 33605994
I think you are right.  Kindly explain one more time why something like

/bin/su [ -] user   (notice a space)
/bin/su ? user

doesn't work.  In the first one I tried to give an option between a space and -.  In the second, I tried to use any character, hoping it would allow either a space or a hyphen.  May be I am thinking too much like regular expressions.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HOw To Install Docker on VMware Workstation 19 345
Trying to install php56 on CentOS 7 get GPG error 5 40
python - find anything after $ question. 9 52
Linux 3 37
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question