We help IT Professionals succeed at work.

Onboarding user and system accounts on a Red Hat Linux Server

Flex Tron
Flex Tron asked
on
Medium Priority
163 Views
Last Modified: 2019-06-21
Dear Gurus,
I have been given root access to a Red Hat linux server 7.5
Now I need to do the below

Onboard a user : george with a home directory /home/george
I used:
adduser -m george

Open in new window

. It works

Onboard an application Account (System User): java_user
I used:
 adduser -r java_user

Open in new window

It works

Define  a Home directory to the java_user:  /home/java_datahub
I used:
usermod -d /home/java_datahub java_user

Open in new window


The above command doesn't do anything. The directories are already existing.

Give sudo access to george  so that he can login to the application account once on the server using the below command
sudo su - java_user

Open in new window

I am not sure how to do this.

Kindly suggest

Thanks
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Hi,

you have to add george to the file /etc/sudoers file with visudo ie. nano,vi or any editor you see fit for this:

# visudo

Open in new window

Then add:

george ALL=(ALL) NOPASSWD: /bin/su -s /bin/bash - java_user

Open in new window

If you don't use the -s /shell/path notation, and the java_user account has no interactive shell defined, you will encounter an error saying 'This account is currently not available'.

Note that existing application users might have group based sudo rights. Defined group names are preceded with a %.
If that's the case then you only need to add george to the particular group:

# usermod -a -G group_name george

Open in new window


Save the file and exit.

Cheers
CERTIFIED EXPERT

Commented:
On most systems, you can add george to the sudoers builtin group using usermod
Flex TronDeveloper

Author

Commented:
Dear Gurus
I did the below
visudo
george ALL=(ALL) NOPASSWD: /bin/su -s /bin/bash - java_user


After that logged in as George
 sudo su - java_user
[sudo] password for george:
Sorry, user george is not allowed to execute '/bin/su - java_user' as root on the server.

Open in new window


In other words ..is there anything else I am missing.
Help is appreciated.
CERTIFIED EXPERT

Commented:
what you allowed is explicitely "/bin/su -s /bin/bash - java_user" which is not the command you typed

you probably want

george ALL=(java_user) NOPASSWD

possibly followed by ':' and the command you want to allow. the above will allow george to run any command as java_user
Flex TronDeveloper

Author

Commented:
I added in visudo
george ALL=(java_user) NOPASSWD:/bin/su -s /bin/bash - java_user

Open in new window



Logged in as george and then

sudo su - java_user
[sudo] password for george:
Sorry, user george is not allowed to execute '/bin/su - java_user' as root on the server.george ALL=(java_user) NOPASSWD: /bin/su -s /bin/bash - java_user

Open in new window


Same Error.


Same Error.
Developer
Commented:
Seems like I found the issue.
So in Unix every iser belongs to a Group.
So I needed to add myself to the 'Wheel ' Group or Since George belonged to 'George' group..
add in visudo
%george ALL = (ALL)  NOPASSWD:ALL
CERTIFIED EXPERT

Commented:
this is similar to the answer i provided, but

- "%george" is george's group while "george" is the user
- with or without ":ALL", the statements are equivalent.

and the more problematic
- "(ALL)" allows george to impersonate any user including root without providing a password which is most likely NOT what you want

... you really should try the exact line i provided without adding some messy trailing command.
Flex TronDeveloper

Author

Commented:
Thanks Gurus for all your help.