Allow user to sudo as any user in group

Question

I'm running a service where I have users that are running services from their home directories. They are all in the group serviceusers, and I have a user that will perform automated tasks initiated from a website on the service users files. Lets call him taskrunner.

I am trying to allow taskrunner to sudo as any user in serviceusers.

Now I tried to do this via the sudoers file:

serviceuser=ALL(serviceusers:serviceusers) NOPASSWD:ALL

(I realize that 'serviceusers:serviceusers' means serviceuser user and serviceuser group. But I don't want the taskrunner user to be able to sudo as all users. Just users in the serviceusers group)

So to be more specific I want to be able to run sudo -u serviceuser1 ... not sudo -g serviceusers....

I've been trying to add /etc/pam.d/sudo in order to allow this. But I can't find very good resources for what the proper syntax for the pam.d/sudo file.

---

I know I can add to pam.d/su and allow the user to su to the users in the group, so that may be an option, however I was wondering if it was possible with just plain sudo.

I'm fairly new to server administration so if this is not the correct way to go about this let me know some good resources.

Answer 1

James.

I believe you can achieve the desired result by using this sudoers configuration line:

taskrunner ALL = (%serviceusers) NOPASSWD: ALL

---

The line above tells sudo to authorize taskrunner user to run any commands as any user that is member of the serviceusers group. The related sections from man 5 sudoers are:

 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
               (':' Host_List '=' Cmnd_Spec_List)*

 Cmnd_Spec_List ::= Cmnd_Spec |
                    Cmnd_Spec ',' Cmnd_Spec_List

 Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd

 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'

 Runas_List ::= Runas_Member |
                Runas_Member ',' Runas_List

 Runas_Member ::= '!'* user name |
                  '!'* #uid |
                  '!'* %group |
                  '!'* %#gid |
                  '!'* %:nonunix_group |
                  '!'* %:#nonunix_gid |
                  '!'* +netgroup |
                  '!'* Runas_Alias

A User_Spec determines which commands a user may run (and as what user) on specified hosts. By default, commands are run as root, but this can be changed on a per-command basis. The basic structure of a user specification is "who where = (as_whom) what".

A Runas_Spec determines the user and/or the group that a command may be run as. A fully-specified Runas_Spec consists of two Runas_Lists (as defined above) separated by a colon (‘:’) and enclosed in a set of parentheses. The first Runas_List indicates which users the command may be run as via sudo's -u option. The second defines a list of groups that can be specified via sudo's -g option. If both Runas_Lists are specified, the command may be run with any combination of users and groups listed in their respective Runas_Lists. If only the first is specified, the command may be run as any user in the list but no -g option may be specified. If the first Runas_List is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the Runas_List. If both Runas_Lists are empty, the command may only be run as the invoking user. If no Runas_Spec is specified the command may be run as root and no group may be specified.

Thus, the meaning of my suggested configuration line is:

• User_Spec: taskrunner ALL = (%serviceusers) NOPASSWD: ALL
• User_List: taskrunner
• Host_List: ALL
• Cmnd_Spec_List: (%serviceusers) NOPASSWD: ALL
• Cmnd_Spec: (%serviceusers) NOPASSWD: ALL
• Runas_Spec: (%serviceusers)
• Runas_List: %serviceusers
• Runas_Member: %serviceusers
• Tag_Spec: NOPASSWD:
• Cmnd: ALL