Allow paswordless user to change to another passwordless user
Solution 1
This is how I ended up doing it.
I created the file /etc/sudoers.d/dev
Containing:
# allow user dev to become user tomcat
# invoked with [dev@host ~]$ sudo su - tomcat
dev ALL = (root) NOPASSWD: /bin/su - tomcat
changed the file permissions with chmod 0440 /etc/sudoers.d/dev
created an alias in dev's .bashrc
alias tomcat='sudo su - tomcat'
This results in the ability for the dev user to become the tomcat user without either having to type (or indeed having) a password ever by typing tomcat
at the command line.
Solution 2
If what you want is to allow dev
to run arbitrary commands as tomcat
, then don't bother with su
, stick with sudo. Add the following line to the sudoers
file (use the visudo
command):
dev ALL = (tomcat) NOPASSWD: ALL
Run sudo -iu tomcat
as the user dev
to run a login shell as tomcat
.
Solution 3
You have sudo added to your tags. In your sudoers file, you can add dev to allowed users and, if you wish, restrict which commands they're allowed to run, and that password isn't required. Then all they'd have to do is type "sudo su - tomcat".
Run visudo
to add the following line:
dev ALL = NOPASSWD: /usr/bin/su - tomcat
There's lots more information and examples in the man file for sudoers.
Solution 4
I've been using sudo's built in user assumption tool,
where
dev
is the sudoer user name, ordev
is the sudeoer group name (sudo configuration calls this%dev
)- and
tomcat
is the destination user
/!\ Note, always validate sudo's configuration files with
visudo
before writing, or always edit sudo's configuration files withvisudo
. An invalid sudo configuration file will latch sudo in an broken state and prevent further invocations.
sudo env EDITOR=nano visudo -f /etc/sudoers.d/runas-tomcat
#/etc/sudoers.d/runas-tomcat
dev ALL=(tomcat) NOPASSWD: ALL
%dev ALL=(tomcat) NOPASSWD: ALL
Using sudo like this is simmilar to as follows. The flag --set-home
(-H
) is optional, it corrects $HOME
by looking it up the target user home in /etc/passwd
. The flag --shell
(-s
) or --login
(-i
) is optional, -s
uses your shell and should feel at home, -i
instead uses the target user shell specified in /etc/passwd
which may be /usr/sbin/nologin
for example and deny login; if both -s
and -i
are not provided, sudo requires additional non-flag arguments to speciify what command to run.
dev@localhost ~ $ sudo --set-home --shell --user tomcat
tomcat@localhost /home/dev/ $ cd
tomcat@localhost ~ $
or in shorter form
sudo -u tomcat echo whoami
sudo -Hsu tomcat # enter tomcat with your shell and their home
Related videos on Youtube
Nifle
Updated on September 18, 2022Comments
-
Nifle over 1 year
I have two users
dev
andtomcat
neither of them have a password.How can I allow
dev
1 dosu - tomcat
without having him having to enter any credentials?1 connects with ssh keyfile
-
Nifle over 11 yearsstill asks for the dev password
-
Gilles 'SO- stop being evil' over 11 years@Nifle There was an error in the sudoers line, try now.
-
Nifle over 11 years@Gilles - still asks for a password. And had to add ALL=(ALL) to get it to run at all