EDIT thanks to medina's comment: According to the man page, you should be able to write
ALL ALL = (ALL) NOPASSWD: ALL
to allow all users to run all commands without a password.
For reference, I'm leaving my previous answer:
If you add a line of the form
%wheel ALL = (ALL) NOPASSWD: ALL
to /etc/sudoers
(using the visudo
command, of course), it will let everyone in the group wheel
run any commands without providing a password. So I think the best solution is to put all your users in some group and put a line like that in sudoers
- obviously you should replace wheel
with the actual group you use.
Alternatively, you can define a user alias,
User_Alias EVERYONE = user1, user2, user3, ...
and use that:
EVERYONE ALL = (ALL) NOPASSWD: ALL
although you would have to update /etc/sudoers
every time you add or remove a user.
You could do this directly with sudo. When I first started thinking about how to do that, I quickly realized that the number of chowns you would have to specify for n users would be n^2 if you try to map them directly. But you can cut this down to 2n if you require the user to take ownership of each file before re-assigning it. So, your sudoers file might look like this:
User_Alias CHOWNADMIN1 = jane
Cmnd_Alias CHOWNUSR1 = /bin/chown --from widget-dev jane *, /bin/chown --from jane widget-dev *
Cmnd_Alias CHOWNUSR2 = /bin/chown --from releng jane *, /bin/chown --from releng amy *
CHOWNADMIN1 ALL= NOPASSWD: CHOWNUSR1, CHOWNUSR2
With this setup, Jane can now do a two-step process to change ownership:
chown --from widget-dev jane /tmp/foofile
chown --from jane releng /tmp/foofile
Notice that you must restrict this permission with --from, or you open up the possibility of granting the user "jane" the permission to take ownership of files like /etc/shadow or /root/.ssh/id_rsa (that could be bad).
Of course, you could now write a very simple script to automate the chowns. Perhaps something like the following, but with some error checking:
#!/bin/bash
FROM=$1
shift
TO=$1
shift
sudo chown --from $FROM $USER $*
sudo chown --from $USER $TO $*
And now Jane can run "rchown releng widget-dev /tmp/foofile" or similar.
Best Answer
You can specify the full "su - foouser" in the sudoers file - the entire command string must be matched, which prevents a simple "su -". On the downside, you'll have to list all acceptable destination users with separate allowed commands.
Alternately, you can use sudoers to specify groups of destination users and have them use the "sudo -U " format.