Sudo access to another user's account

permissions sudo accounts
9,401

That (and making back-ups) is pretty much the traditional use of the operator user and group...

Set up a group - eg. mainusers - and add the users allowed to "become" mainaccount

In /etc/sudoers add: %mainusers ALL = (root) su - mainaccount This will let members of mainusers become mainaccount by using su - mainaccount. By doing so as root, they don't need to give a password for the su-command. Alternative %mainusers ALL = (mainaccount) ALL lets members of mainusers to run any command as mainaccount.

Let mainaccount-user be member of the sudo-group (ie. may sudo to root and run commands as root). This will let any user first becomming mainaccount to then use sudoto become root.

That said, this sounds like a bad idea! It may be better to let mainaccount - and users belonging to mainusers who could become him - to only be allowed to run a limited number of privileged commands (perhaps only the commands in a dedicated directory), maybe as root. sudo can be used to set-up this too.

You may look at man sudoers -- and in the example sudoers-file in /usr/share/doc/sudo/examples/ -- for more inspiration. Look especially how they use alias and the operator-user/group in the example-file. Here "operators" may do daily maintenance work -- like shut-down the computer, kill processes, start/stop/add printers, mount CDROMs, and such things -- but far from everything root (and members of sudo-group) can do. This is a more appropriate set-up for allowing "trusted users" doing some day-to-day admin-work. If you're running several computers, it may also be a good idea to limit their privileges to only one or two computers (eg. groups of users have special rights on "their" computer, but not on the other computers).

So if I was you, I would think twice and perhaps rethink this - especially the number of users you intend to "promote". If you have to do this; I would suggest the operator-solution - put them in a group, and use sudo to give them a limited set of privileged commands they could run (as root) to fix day-to-day problems. But don't let them all be able to ascend to full root-status! If you really need someone with full root-privileges, then pick a couple among the dozen that you really trust and knows are knowledgeable, and add them to the sudo-group as full co-administrators... that would be a lot cleaner and easier to control than what you proposed.

Share:
9,401

Related videos on Youtube

user3311890
Author by

user3311890

Updated on September 18, 2022

Comments

  • user3311890
    user3311890 over 1 year

    what will be the most efficient way for multiple users (around 15) to be able to sudo to another user's account to run privileged commands?

    so to make it clear, I have a main user called mainaccount that has sudo/root access, I also have 15 other users that need to be able to change or run commands su - mainaccount for managing a test environment.

    how can I do this?

    Edit: I am asking how is this done, so if user user1 wants to run a command as mainaccount (su - mainaccount) but without putting mainaccount's password, rather using their own password. I guess kind of like the wheel group, where you can add multiple users but this one just to be able to change or run commands as mainaccount

    • cripp
      cripp over 7 years
      Are you asking how is it done? Or how do you make running it better? I guess I am confused by what you want clarified. Did you want people to just run individual commands? Or did you want to have them to run as many as they need without relogging in?
    • cripp
      cripp over 7 years
      The su command stands for :switch user. To use the su command on a single command basis, enter: su user -c command To switch users so you can enter many commands enter: su user Replace user with mainaccount for the above example. I am posting this as a comment as I don't really know what your question was. But this at least helps you with your syntax.
    • user3311890
      user3311890 over 7 years
      I guess this is pretty close to what I want, I do want the main account to become root (which I've done that by adding it to the wheel group) but now, I want to put all the users, so they are able to run commands as the mainaccount how do I escpefically add the users so they can su - mainaccount?
  • user3311890
    user3311890 over 7 years
    agreed as a bad idea, it was a requirement and talked people off of this idea, thank you so much!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Open file or application as root from GUI
How can I have a PHP script run a shell script as root?
Should Vagrant require sudo for each command?
Allow chown command to www-data user
"Sorry, user user1 is not allowed to execute '/bin/ls' as root on hostname"
Why should I be installing my applications in the /opt location?
Allow certain guests to execute certain commands
Sudo is not asking for password on Ubuntu 16.04
Editing sudoers.d to allow www-data run a specific file
Difference between sudo -u and su -c