[sudo-users] ability to su to users in AD group
Dempsey, Steve AZ
steve.az.dempsey at intel.com
Thu May 25 12:59:04 MDT 2017
I do not believe this can be done with su because there is no variable substitution
possible in a command, but have done something similar as follows:
%domaingroup ALL = (%domaingroup2) ALL
People in the privileged domaingroup can run:
> sudo -u user2 -i
to get a shell as anyone in the target domaingroup2.
From: sudo-users [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Landry, Stéphane
Sent: Thursday, May 25, 2017 10:59 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] ability to su to users in AD group
I'm trying to limit the use of su to certain users in an AD group.
For example, I need something similar to the following in the sudoers file
%domaingroup ALL=(ALL) NOPASSWD: /bin/su - username
But instead of the username which works, I need to specify the AD group which has a list of usernames that get updated regularly. In this way I can control which domain users I can su as.
I'm looking for something like
%domaingroup ALL=(ALL) NOPASSWD: /bin/su - %domaingroup2
So that the users in domaingroup can take the identities of only the users in domaingroup2
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
More information about the sudo-users