[sudo-users] allowing command with or without parameter
Todd C. Miller
Todd.Miller at courtesan.com
Fri Nov 9 12:41:52 EST 2012
On Fri, 09 Nov 2012 15:31:31 GMT, Holger.vanKoll at swisscom.com wrote:
> I want to allow users of the (unix-)group "dba" to be able to su
> to (unix-)user db2tip.
> They shall be able to do
> sudo su - db2tip
> but also
> sudo su - db2tip -c /any/command.
> Currently I use this in sudoers
> %dba ALL=(ALL) NOPASSWD: /usr/bin/su - db2tip, /usr/bin/su - db2tip *
> and it works; however; can this combined into one statement?
If you really want a single rule you could use:
%dba ALL=(ALL) NOPASSWD: /usr/bin/su - db2tip*
However that would match not just "db2tip" but any user name that
starts with "db2tip". I think you are better off with two rules.
> I know about the presence of the -u flag, however, would like to
> not force the users to use it.
Personally, I would have used "sudo -i -u db2tip" instead of "sudo
su - db2tip". I.e. use sudo to setup the login environment instead
of su but I am probably biased.
More information about the sudo-users