I'm running a service where I have users that are running services from their home directories. They are all in the group serviceusers
, and I have a user that will perform automated tasks initiated from a website on the service users files. Lets call him taskrunner
.
I am trying to allow taskrunner
to sudo as any user in serviceusers
.
Now I tried to do this via the sudoers file:
serviceuser=ALL(serviceusers:serviceusers) NOPASSWD:ALL
(I realize that 'serviceusers:serviceusers' means serviceuser user and serviceuser group. But I don't want the taskrunner
user to be able to sudo as all users. Just users in the serviceusers
group)
So to be more specific I want to be able to run sudo -u serviceuser1 ...
not sudo -g serviceusers...
.
I've been trying to add /etc/pam.d/sudo
in order to allow this. But I can't find very good resources for what the proper syntax for the pam.d/sudo file.
I know I can add to pam.d/su and allow the user to su to the users in the group, so that may be an option, however I was wondering if it was possible with just plain sudo.
I'm fairly new to server administration so if this is not the correct way to go about this let me know some good resources.
Best Answer
James.
I believe you can achieve the desired result by using this
sudoers
configuration line:The line above tells
sudo
to authorizetaskrunner
user to run any commands as any user that is member of theserviceusers
group. The related sections fromman 5 sudoers
are:Thus, the meaning of my suggested configuration line is: