[sudo-users] sudo to fully switch to another user

Daniele Palumbo daniele at retaggio.net
Wed Dec 6 18:35:27 MST 2017


Let’s suppose the following entry:

%test-sourceusers ALL = (%test-runas) NOPASSWD: /bin/ls, /bin/su -, /bin/bash

ls is working without problem.

What i am not able to accomplish is to became any of the user in %destusers, with its default shell and changing the PWD.

Listing the users with “/bin/su - any_user_in_the_group” would result in a failure because i need to have a dynamic rule.

root at build-jessie-amd64:~# getent group test-sourceusers
root at build-jessie-amd64:~# getent group test-runas
root at build-jessie-amd64:~#

daniele at build-jessie-amd64:~$ sudo -u testdestuser /bin/ls /
bin  boot  dev  etc  home  initrd.img  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var  vmlinuz
daniele at build-jessie-amd64:~$

daniele at build-jessie-amd64:~$ sudo -u testdestuser /bin/bash --login
testdestuser at build-jessie-amd64:/home/daniele$ pwd
testdestuser at build-jessie-amd64:/home/daniele$

testdestuser at build-jessie-amd64:/home/daniele$ logout
daniele at build-jessie-amd64:~$ sudo -u testdestuser /bin/su - testdestuser

The above is not filling my use case because:
- /bin/su will run effectively as the destination user (not root), asking the password, which is not known/does not exists
- /bin/bash is an example hardcoded shell. Sometimes shell kind cannot be guessed (csh, ksh, ...)
- cwd does not change upon running the shell, even if with shell run with --login, as by https://bugzilla.sudo.ws/show_bug.cgi?id=797

Is there another way to fully switch user that i am missing?

If not, worth the case to create a specific entry in Sudo to allow this behavior, without a password or with the password of the source user?

Thank you very much,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://www.sudo.ws/pipermail/sudo-users/attachments/20171207/59229103/attachment.bin>

More information about the sudo-users mailing list