su to myself without password
Solution 1
You should be using sudo
for this, not su
. With sudo, you can specify NOPASSWD
in /etc/sudoers
:
username ALL=/path/to/command NOPASSWD: ALL
Solution 2
I think there is a basic misunderstanding here.
Those users would get sudo rights to that account, and that usually works well, except that the init scripts in some cases call su -c 'start_daemon ...' daemonuser and that brings down this scheme.
When an init script does su -c <start_daemon> <daemon_user>
what it is doing is switching the context that the daemon is running under.
for example our tomcat scripts do exactly this so that the daemon can run with the "tomcat" user permissions.
Now, if you go changing the init scripts to do su -c <start_daemon> <your_user>
you WILL BREAK the daemon as it expects to be run under a certain enviroment.
Giving your users sudo permission to those scripts, as everyone else has already said is the correct way to give them the ability to manage those daemons.
Related videos on Youtube
Peter Eisentraut
Updated on September 17, 2022Comments
-
Peter Eisentraut almost 2 years
How can one set it up so that
su
to the same user that is currently logged in, that isfoo$ su -c 'something' foo
does not require a password? This wouldn't add or remove any security, as it should be a noop.
The reason for wanting this is that I would like to have a class of users "below" root that can administer some specific services on the machine that run under that user, e.g.,
news
ormysql
(inspect their data, change the configuration, restart, etc.). Those users would getsudo
rights to that account, and that usually works well, except that the init scripts in some cases callsu -c 'start_daemon ...' daemonuser
and that brings down this scheme. Of course, I can change the init scripts or add additional
sudo
permissions, but I would like to avoid these sort of exceptions, because they are a mess to maintain in the long run.The configuration for
su
is in PAM, so the right magic possibly lies there.-
Admin over 14 yearsFor clarification, the calls to "su" are in some script that I don't want to change. If I would want to change it, this would be trivial. So any answer that proposes to change the su call to sudo or something else is incorrect. The goal is to make the existing su call succeed without requiring a password.
-
-
Peter Eisentraut over 14 yearsI know that, but that was not the question.
-
Nunya over 14 yearsSet sudo up with no password then use this command sudo su - <username>
-
Peter Eisentraut over 14 yearsI don't want to change the init script. I want someone who is logged in as, say, "tomcat", to be able to run the init script. But that will fail because
su -c <start_daemon> tomcat
will ask for a password, even if you are already logged in as tomcat, and that will usually not exist anyway. -
Admin over 14 yearsI don't want to change the script. If I could, I would just take out the
su
call or something. -
Admin over 14 yearsThat's kind of a promising direction, but I think I would conceptually need something like
pam_succeed_if.so uid = user
. -
Zypher over 14 years@Peter: Your init script should have an if statment like:
if ["$USERNAME" = 'tomcat'] then <run script else su -c <start_daemon> tomcat
to take care of this situation. If that doesn't exist, well you might just have to change the init script