[sudo-users] Authentication as "original" username

[James Roberts-Thomson]

Hi all,

Long time user of "sudo", first time poster.

I've been trying to figure out if the following scenario is possible,
and if so, how to do it:

1.  Login to remote server as "normal" user via SSH.
2.  Use "sudo -u <user2> <shell>" to become a 2nd userID on remote server
3.  Use "sudo -u <user3> <shell>" to become yet a 3rd userID on remote
server; BUT require this command to authenticate to sudo as the
"normal" (originally logged in) server.

I've looked at the "runaspw" / runas_default settings; but I'm not
sure they are going to work the way I want: neither "user2" or "user3"
have passwords, and ideally I'd need "sudo" to dynamically determine
the "original" username.

Why on earth would I want to do this?  Good question!

We're using Solaris 10 servers, and we're attempting to use Solaris'
"Role Based Access Control" (RBAC) to admin the servers, so that
Admins don't become "root" all the time to do "stuff".

The idea is that they login as themselves, transition to a "role"
userID which is slightly privileged; and if they need to, further
escalate to a "more privileged" role to gain more access.  Ideally,
we'd like to transition from role1 to role2 using the original user's
password for authentication; hence the scenario above.  Just to
complicate matters, we aren't permitted to use "sudo su -" to switch
between users, hence the "sudo -u <username> <shell>" entries above -
the "shell" is actually another authentication layer that validates
access against our change-control database and runs the shell if
access is "approved".

At this stage, I don't see a method of doing this directly via SUDO.
Clearly, we can exit the "user2" shell and become "normal" again, then
run sudo to become "user3" from "normal"; but it would be a
nice-to-have to be able to go from "user2" to "user3" without having
to drop back to the original user first.

Any help appreciated!

Thanks in advance,

James RT