[sudo-users] ability to su to users in AD group

[Shawn McMahon]

Write a script. Put the script in a location where nobody but root can
modify it. Make a sudo rule to run the script.

On Thu, May 25, 2017 at 1:59 PM, Dempsey, Steve AZ <
steve.az.dempsey at intel.com> wrote:

> I do not believe this can be done with su because there is no variable
> substitution
> possible in a command, but have done something similar as follows:
>
> %domaingroup ALL = (%domaingroup2) ALL
>
> People in the privileged domaingroup can run:
>
> > sudo -u user2 -i
>
> to get a shell as anyone in the target domaingroup2.
>
>
> -----Original Message-----
> From: sudo-users [mailto:sudo-users-bounces at sudo.ws] On Behalf Of Landry,
> Stéphane
> Sent: Thursday, May 25, 2017 10:59 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] ability to su to users in AD group
>
> Hi,
>
> I'm trying to limit the use of su to certain users in an AD group.
>
> For example, I need something similar to the following in the sudoers file
>
> %domaingroup ALL=(ALL) NOPASSWD: /bin/su - username
>
> But instead of the username which works, I need to specify the AD group
> which has a list of usernames that get updated regularly. In this way I can
> control which domain users I can su as.
>
> I'm looking for something like
>
> %domaingroup ALL=(ALL) NOPASSWD: /bin/su - %domaingroup2
>
> So that the users in domaingroup can take the identities of only the users
> in domaingroup2
>
> Thanks
>
>
> Stephane Landry
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
>