Sudo access to another user's account
That (and making back-ups) is pretty much the traditional use of the operator user and group...
Set up a group - eg. mainusers - and add the users allowed to "become" mainaccount
In /etc/sudoers add:
%mainusers ALL = (root) su - mainaccount
This will let members of mainusers become mainaccount by using su - mainaccount
. By doing so as root, they don't need to give a password for the su
-command. Alternative %mainusers ALL = (mainaccount) ALL
lets members of mainusers to run any command as mainaccount.
Let mainaccount-user be member of the sudo-group (ie. may sudo
to root and run commands as root). This will let any user first becomming mainaccount to then use sudo
to become root.
That said, this sounds like a bad idea! It may be better to let mainaccount - and users belonging to mainusers who could become him - to only be allowed to run a limited number of privileged commands (perhaps only the commands in a dedicated directory), maybe as root. sudo
can be used to set-up this too.
You may look at man sudoers
-- and in the example sudoers-file in /usr/share/doc/sudo/examples/ -- for more inspiration. Look especially how they use alias and the operator-user/group in the example-file. Here "operators" may do daily maintenance work -- like shut-down the computer, kill processes, start/stop/add printers, mount CDROMs, and such things -- but far from everything root (and members of sudo-group) can do. This is a more appropriate set-up for allowing "trusted users" doing some day-to-day admin-work. If you're running several computers, it may also be a good idea to limit their privileges to only one or two computers (eg. groups of users have special rights on "their" computer, but not on the other computers).
So if I was you, I would think twice and perhaps rethink this - especially the number of users you intend to "promote". If you have to do this; I would suggest the operator-solution - put them in a group, and use sudo
to give them a limited set of privileged commands they could run (as root) to fix day-to-day problems. But don't let them all be able to ascend to full root-status! If you really need someone with full root-privileges, then pick a couple among the dozen that you really trust and knows are knowledgeable, and add them to the sudo-group as full co-administrators... that would be a lot cleaner and easier to control than what you proposed.
Related videos on Youtube
user3311890
Updated on September 18, 2022Comments
-
user3311890 over 1 year
what will be the most efficient way for multiple users (around 15) to be able to sudo to another user's account to run privileged commands?
so to make it clear, I have a main user called
mainaccount
that has sudo/root access, I also have 15 other users that need to be able to change or run commandssu - mainaccount
for managing a test environment.how can I do this?
Edit: I am asking how is this done, so if user
user1
wants to run a command asmainaccount
(su - mainaccount) but without putting mainaccount's password, rather using their own password. I guess kind of like thewheel
group, where you can add multiple users but this one just to be able to change or run commands as mainaccount-
cripp over 7 yearsAre you asking how is it done? Or how do you make running it better? I guess I am confused by what you want clarified. Did you want people to just run individual commands? Or did you want to have them to run as many as they need without relogging in?
-
cripp over 7 yearsThe su command stands for :switch user. To use the su command on a single command basis, enter: su user -c command To switch users so you can enter many commands enter: su user Replace user with mainaccount for the above example. I am posting this as a comment as I don't really know what your question was. But this at least helps you with your syntax.
-
user3311890 over 7 yearsI guess this is pretty close to what I want, I do want the main account to become root (which I've done that by adding it to the wheel group) but now, I want to put all the users, so they are able to run commands as the
mainaccount
how do I escpefically add the users so they can su - mainaccount?
-
-
user3311890 over 7 yearsagreed as a bad idea, it was a requirement and talked people off of this idea, thank you so much!