[sudo-users] Mass runas definition

Todd C. Miller Todd.Miller at millert.dev
Thu Jan 5 09:33:07 MST 2023

On Thu, 05 Jan 2023 17:36:24 +0200, Marek Svent via sudo-users wrote:

> I have a need to give to some administrators an access to run sudo
> into users' accounts. But without giving them access to run commands
> as system users. There are hundreds of systems accounts and thousands
> of users' accounts and both change as well, so using runas lists is
> awkward at best.
> Is there a better way than just list every single account in sudoers
> file? Theoretically it would be ideal if there would be support for
> uid ranges. Something like:
> %semigods ALL=(#5000-#65000) INTERCEPT:NOPASSWD: ALL

Unfortunately, I don't think there is a good way to do this unless
you can use group membership in the RunasUser list.  If a group
prefixed with '%' is present in a RunasUser list, it will match any
user in that group.

For example, if non-system users are all members of the "users"
group (but system users are not), you could do something like:

    %semigods ALL=(%users) INTERCEPT:NOPASSWD: ALL

You can also use negation, though that is much more fragile:

    %semigods ALL=(ALL, !%root, !%staff) INTERCEPT:NOPASSWD: ALL

You can use groups the same way in a RunasAlias.  Hope that helps.

 - todd

More information about the sudo-users mailing list