[sudo-users] Mass runas definition
Todd C. Miller
Todd.Miller at millert.dev
Thu Jan 5 09:33:07 MST 2023
On Thu, 05 Jan 2023 17:36:24 +0200, Marek Svent via sudo-users wrote:
> I have a need to give to some administrators an access to run sudo
> into users' accounts. But without giving them access to run commands
> as system users. There are hundreds of systems accounts and thousands
> of users' accounts and both change as well, so using runas lists is
> awkward at best.
> Is there a better way than just list every single account in sudoers
> file? Theoretically it would be ideal if there would be support for
> uid ranges. Something like:
> %semigods ALL=(#5000-#65000) INTERCEPT:NOPASSWD: ALL
Unfortunately, I don't think there is a good way to do this unless
you can use group membership in the RunasUser list. If a group
prefixed with '%' is present in a RunasUser list, it will match any
user in that group.
For example, if non-system users are all members of the "users"
group (but system users are not), you could do something like:
%semigods ALL=(%users) INTERCEPT:NOPASSWD: ALL
You can also use negation, though that is much more fragile:
%semigods ALL=(ALL, !%root, !%staff) INTERCEPT:NOPASSWD: ALL
You can use groups the same way in a RunasAlias. Hope that helps.
- todd
More information about the sudo-users
mailing list