[sudo-users] sudo to fully switch to another user
daniele at retaggio.net
Wed Dec 6 18:35:27 MST 2017
Let’s suppose the following entry:
%test-sourceusers ALL = (%test-runas) NOPASSWD: /bin/ls, /bin/su -, /bin/bash
ls is working without problem.
What i am not able to accomplish is to became any of the user in %destusers, with its default shell and changing the PWD.
Listing the users with “/bin/su - any_user_in_the_group” would result in a failure because i need to have a dynamic rule.
root at build-jessie-amd64:~# getent group test-sourceusers
root at build-jessie-amd64:~# getent group test-runas
root at build-jessie-amd64:~#
daniele at build-jessie-amd64:~$ sudo -u testdestuser /bin/ls /
bin boot dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz
daniele at build-jessie-amd64:~$
daniele at build-jessie-amd64:~$ sudo -u testdestuser /bin/bash --login
testdestuser at build-jessie-amd64:/home/daniele$ pwd
testdestuser at build-jessie-amd64:/home/daniele$
testdestuser at build-jessie-amd64:/home/daniele$ logout
daniele at build-jessie-amd64:~$ sudo -u testdestuser /bin/su - testdestuser
The above is not filling my use case because:
- /bin/su will run effectively as the destination user (not root), asking the password, which is not known/does not exists
- /bin/bash is an example hardcoded shell. Sometimes shell kind cannot be guessed (csh, ksh, ...)
- cwd does not change upon running the shell, even if with shell run with --login, as by https://bugzilla.sudo.ws/show_bug.cgi?id=797
Is there another way to fully switch user that i am missing?
If not, worth the case to create a specific entry in Sudo to allow this behavior, without a password or with the password of the source user?
Thank you very much,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the sudo-users