Linux: Allow user to execute specific command on behalf of any other user

linuxpermissionssusudo

I am trying to find a way to allow user john to execute a command (say echo) on behalf of another user peter without being prompted for password.

I found a thread that I thought would be the answer to my question:

john ALL = (ALL) NOPASSWD: /bin/echo

Unfortunately, this is not quite do what I want. This command executes the echo command as peter but in the context of john. That means the home directory remains that of john.

As the user john, if I run: "sudo -u peter echo ~", the response is: /home/john. I want it to be /home/peter.

The behaviour I was expecting is provided by the su command. As root, if I do: su peter -c "echo ~" , I get /home/peter.

The question this is, how do I get the behavior of su, without being root and without being prompted for password?

Best Answer

You need to specify the -i flag to make sudo read the login scripts & such and set the environment variables as they should be. Without making sudo load the environment, the home environment variable is not updated to reflect the running-as-user.

Related Solutions

Linux – security issue of Linux sudo command

It is not a security hole, at least no more than su is.

sudo is just of way for an administrator for having a quick root access without using a root shell (which can be dangerous).

sudo just requires the user to enter his own password and will indeed give him root access (try $ sudo whoami). However, not everyone should be in the /etc/sudoers file.

If you take a look at sudo manpage, you'll find how to limit sudo to some simple commands.

You can for instance, only allow the user bob to execute $ sudo poweroff without allowing him to do $ sudo cat /etc/shadow.

So no, it's not a security hole if you configure and use it correctly. If you don't want your users to have a root shell, think of forbidding commands like $ sudo su.

Allow user act as root, so he does not need to use sudo each time

In general, this is a bad idea, however if you really require this, then modify the following in /etc/sudoers:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
<username>    ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
<username>      ALL=(ALL)       NOPASSWD: ALL

Or you can just use vipw and set the uid to be 0 for that username.

Best Answer

Related Solutions

Linux – security issue of Linux sudo command

Allow user act as root, so he does not need to use sudo each time

Related Topic