Allow paswordless user to change to another passwordless user

security users sudo not-root-user su

25,000

Solution 1

This is how I ended up doing it.

I created the file /etc/sudoers.d/dev

Containing:

# allow user dev to become user tomcat
# invoked with [dev@host ~]$ sudo su - tomcat
dev ALL = (root) NOPASSWD: /bin/su - tomcat

changed the file permissions with chmod 0440 /etc/sudoers.d/dev

created an alias in dev's .bashrc alias tomcat='sudo su - tomcat'

This results in the ability for the dev user to become the tomcat user without either having to type (or indeed having) a password ever by typing tomcat at the command line.

Solution 2

If what you want is to allow dev to run arbitrary commands as tomcat, then don't bother with su, stick with sudo. Add the following line to the sudoers file (use the visudo command):

dev ALL = (tomcat) NOPASSWD: ALL

Run sudo -iu tomcat as the user dev to run a login shell as tomcat.

Solution 3

You have sudo added to your tags. In your sudoers file, you can add dev to allowed users and, if you wish, restrict which commands they're allowed to run, and that password isn't required. Then all they'd have to do is type "sudo su - tomcat".

Run visudo to add the following line:

dev ALL = NOPASSWD: /usr/bin/su - tomcat

There's lots more information and examples in the man file for sudoers.

Solution 4

I've been using sudo's built in user assumption tool,

where

dev is the sudoer user name, or
dev is the sudeoer group name (sudo configuration calls this %dev)
and tomcat is the destination user

/!\ Note, always validate sudo's configuration files with visudo before writing, or always edit sudo's configuration files with visudo. An invalid sudo configuration file will latch sudo in an broken state and prevent further invocations.

sudo env EDITOR=nano visudo -f /etc/sudoers.d/runas-tomcat

#/etc/sudoers.d/runas-tomcat
dev ALL=(tomcat) NOPASSWD: ALL
%dev ALL=(tomcat) NOPASSWD: ALL

Using sudo like this is simmilar to as follows. The flag --set-home (-H) is optional, it corrects $HOME by looking it up the target user home in /etc/passwd. The flag --shell (-s) or --login (-i) is optional, -s uses your shell and should feel at home, -i instead uses the target user shell specified in /etc/passwd which may be /usr/sbin/nologin for example and deny login; if both -s and -i are not provided, sudo requires additional non-flag arguments to speciify what command to run.

dev@localhost ~ $ sudo --set-home --shell --user tomcat
tomcat@localhost /home/dev/ $ cd
tomcat@localhost ~ $

or in shorter form

sudo -u tomcat  echo whoami
sudo -Hsu tomcat  # enter tomcat with your shell and their home

View more solutions

25,000

Nifle

Updated on September 18, 2022

Comments

Nifle over 1 year

I have two users dev and tomcat neither of them have a password.

How can I allow dev ¹ do su - tomcat without having him having to enter any credentials?

¹ connects with ssh keyfile
Nifle over 11 years

still asks for the dev password
Gilles 'SO- stop being evil' over 11 years

@Nifle There was an error in the sudoers line, try now.
Nifle over 11 years

@Gilles - still asks for a password. And had to add ALL=(ALL) to get it to run at all