Do I need to specify the user:group in sudoers to impersonate other users

Question

I was trying to limit the command a specific user can execute in the sudoers file, say I have something like this:

dummy myserver=(ALL:ALL) /usr/sbin/reboot,/usr/sbin/shutdown

My dummy user is only allowed to reboot or shut down the system. I intentionally allow the dummy user to impersonate other users, but anytime I try using the -u option of the sudo e.g sudo -u anotheruser whoami

I get the following error:

Sorry, user dummy is not allowed to execute '/usr/bin/whoami' as anotheruser on myserver.

I understand I can specifically call out the user and group I want to impersonate in the sudoers, but I am curious as to why the ALL:ALL doesn't work

I would greatly appreciate your answers.

score 1 · Accepted Answer · answered Jan 31 '20 at 15:05

The (ALL:ALL) does work, your dummy user is just not allowed to execute whoami. You should add /usr/bin/whoami to the list of allowed commands. You current rule says that dummy can execute /usr/sbin/reboot or /usr/sbin/poweroff as any user and any group. You are allowed to call sudo -u anotheruser /usr/sbin/reboot, it's failure to reboot the system will have nothing to do with sudo.

Moreover there is probably no /usr/sbin/reboot and /usr/sbin/poweroff executables on your system. These are essential commands, so they should be in /sbin.

Summarizing: your /etc/sudoers file should contain a line like this:

dummy myserver=(ALL:ALL) /sbin/reboot, /sbin/poweroff, /usr/bin/whoami

I should also add that if the user you are impersonating doesn't have access to the commands, it won't work. — nooneknows2mao, Feb 01 '20 at 00:23

Do I need to specify the user:group in sudoers to impersonate other users

1 Answers1