[sudo-users] allowing command with or without parameter

Holger.vanKoll at swisscom.com Holger.vanKoll at swisscom.com
Fri Nov 9 10:31:31 EST 2012


I want to allow users of the (unix-)group "dba" to be able to su to (unix-)user db2tip.

They shell be able to do
sudo su - db2tip
but also
sudo su - db2tip -c /any/command.

Currently I use this in sudoers

%dba ALL=(ALL)     NOPASSWD: /usr/bin/su - db2tip, /usr/bin/su - db2tip *

and it works; however; can this combined into one statement?

I thought the sudoers-entry
/usr/bin/su - db2tip *
alone would allow a
sudo su - db2tip
as the asterik "Means that the preceding symbol (or group of symbols) may appear zero or more times.", but it doesnt.
It allows
sudo su - db2tip ""
sudo su - db2tip /some/command
but not a simple
sudo su - db2tip

I know about the presence of the -u flag, however, would like to not force the users to use it.

Regs, Holger

More information about the sudo-users mailing list