[sudo-users] Granting users the ability to su to another user via sudo

Todd C. Miller Todd.Miller at courtesan.com
Wed Sep 22 18:10:19 EDT 2010

In message <EA9AB101-2EFD-404C-B161-4C5EF58E15F0 at ualr.edu>
	so spake John Adams (jxadams):

> I've been asked to allow su'ing to another user without the original
> user having the password of the account to which they're su'ing.
> The obvious way to do this is by using sudo and putting an entry
> like this into the sudoers file:
> %group ALL=(root) su - user
> It seems so simple and obvious that is raises this question: How bad an
> idea is this?

If you give a user the ability to run as shell, either through su
or directly via "sudo -s" or "sudo -i", there will be no logging
of the commands that the user runs inside that shell.

You are basically allowing the user to run any command (without
logging).  You'll need to decide Whether or not you consider that
a problem.

If you want to use "sudo -i" instead of su, the sudoers syntax is:

    %group ALL=(user_to_run_shell_as) /bin/bash

assuming that user_to_run_shell_as's shell is /bin/bash (if not,
adjust accordingly).  When you run "sudo -s" or "sudo -i" the command
that is validate in the sudoers file is the shell for the user in

 - todd

More information about the sudo-users mailing list