-1

There is a requirement I got. My sudo users (for which their entry in sudoers file) should be able to access other user's account say Oracle using following command:

sudo su - Oracle

The above should work with giving current users password.

But if the same user is firing the following command:

sudo su -

it shouldn't work and thus root access shouldnt be given to current user.

I am not using su because because I don't want current user to know the credentials of other user (root,Oracle etc.).

Winnie
  • 1
  • 1
  • 1
  • Users should not use `sudo su -` Instead they should be using `sudo -i -u username`. Having `su` just complicates things. Once you get rid of the gratuitous `su`, then everything can be handle with standard sudo config. See the sudo [examples](http://www.sudo.ws/sudo/sample.sudoers) and manual. – Zoredache Nov 06 '13 at 17:29

1 Answers1

0

If the users do not know the root password, they can su - all day, and they won't get very far. That said, if in the sudoers file you put a line like: (my su is on that path)

Cmnd_Alias ORACLESU /bin/su - Oracle

then the users can only run that specific command.

You can also negate access to the su - command for root (say to a group called noroot)

%noroot ALL = /bin/su [!-]*,!/bin/su *root*

This is pretty close to what you'll find in the man pages, and it does limit what can be appended to the su command (which may be what you want) there are many more options, and plenty of examples available in the man pages, and online.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • My exact requirement is with sudo only. Using sudo he should be able to switch to any user except the root. Can u provide with entries which has to be done in /etc/sudoer file so that the requirement works. – Winnie Nov 06 '13 at 10:59
  • 1
    I would highly suggest you explicitly specify each account the user can sudo su - into. Su has so many options that can work around the not allowing explicit commands. Plus if you only disallow sudo su -, then the user could potentially sudo su into an account that has more lax sudo access. – Regan Nov 06 '13 at 11:01
  • With above comment %noroot ALL = !/bin/su *root* the users in noroot cant access other user with following command eg: sudo su - Oracle – Winnie Nov 06 '13 at 11:02
  • 1
    I added an example, I'll edit it to fit what you want.. but read up on it, don't just cut and paste. test it, then adjust it to exactly what you want it to do, the only way you can do that is testing, and reading the documentation. – NickW Nov 06 '13 at 11:08