[sudo-users] allowing command with or without parameter

Todd C. Miller Todd.Miller at courtesan.com
Fri Nov 9 12:41:52 EST 2012

On Fri, 09 Nov 2012 15:31:31 GMT, Holger.vanKoll at swisscom.com wrote:

> I want to allow users of the (unix-)group "dba" to be able to su
> to (unix-)user db2tip.
> They shall be able to do
> sudo su - db2tip
> but also
> sudo su - db2tip -c /any/command.
> Currently I use this in sudoers
> %dba ALL=(ALL)     NOPASSWD: /usr/bin/su - db2tip, /usr/bin/su - db2tip *
> and it works; however; can this combined into one statement?

If you really want a single rule you could use:

    %dba ALL=(ALL)     NOPASSWD: /usr/bin/su - db2tip*

However that would match not just "db2tip" but any user name that
starts with "db2tip".  I think you are better off with two rules.

> I know about the presence of the -u flag, however, would like to
> not force the users to use it.

Personally, I would have used "sudo -i -u db2tip" instead of "sudo
su - db2tip".  I.e. use sudo to setup the login environment instead
of su but I am probably biased.

 - todd

More information about the sudo-users mailing list