job.answiz.com
  • 4
Votes
name

I'd like to allow certain users to su to another user account without having to know that account's password, but not allow access to any other user account (i.e. root).
For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

I imagine this could be done with the /etc/sudoers file - is it possible? If so, how?

To ONLY provide the capabilities in the question, add the following to /etc/sudoers:

tom            ALL=(oracle)    /bin/bash

Then tom can:

sudo -u oracle bash -i
  • 0
Reply Report
name
  • 0

su is not meant to do that -- sudo is.

Open /etc/sudoers.d/custom and write the following:

user-a ALL=(user-b:user-b) NOPASSWD:ALL

Which means: whenever user-a executes sudo -u user-b (or any other variant), let him go without asking for password.

  • 0
Reply Report

Yes, this is possible.

In /etc/sudoers the item immediately following the equals is the user that the command will be allowed to execute as.

tom  ALL=(oracle) /bin/chown tom *

The user (tom) can type sudo -u oracle /bin/chown tom /home/oracle/oraclefile

  • 0
Reply Report