Allow user1 to “su – user2” without password

by

I need to allow user martin to switch to user martin-test without password

su - martin-test

I think this can be configured in /etc/pam.d/su. There are already some lines in that file which can be uncommented. However, I don’t like the idea of adding user martin to group wheel. I don’t want to give martin any more privileges than to be able to switch to martin-test. I also do not want to use sudo.

What would be the best way to do it, while keeping the privileges of user martin minimal?

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4
Method 5

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Add the following lines underneath the pam_rootok.so line in your /etc/pam.d/su:

auth  [success=ignore default=1] pam_succeed_if.so user = martin-test
auth  sufficient                 pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

  • The first line checks whether the target user is martin-test. If it is nothing happens (success=ignore) and we can continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we can continue on subsequent lines with the usual authentication steps.
  • The second line checks whether the current user is martin or not, if it is then the system considers the authentication process as successful and returns (sufficient), if it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

Method 2

If you don’t want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth       sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
  exit 0
else
  exit 1
fi

So this script exits with success if su:

  • is called in context of authentication,
  • the calling user is martin and
  • the user to authenticate is martin-test.

See:

<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3f525e4d4b56517f57504c4b">[email protected]</a>:~$ su - martin-test
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6a070b181e0304471e0f191e2a0205191e">[email protected]</a>:~$ exit
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="acc1cdded8c5c2ecc4c3dfd8">[email protected]</a>:~$ su - otheruser
Password: ****
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8b7acb0bdaaadabbdaa98b0b7abac">[email protected]</a>:~$

Method 3

This might be the possible best way.

su is not meant to do that — sudo is.

Open /etc/sudoers.d/custom and write the following:

user-a ALL=(user-b:user-b) NOPASSWD:ALL

This means: whenever user-a executes sudo -u user-b, let him go without asking for the password.

Another way

youruserid ALL = (username) NOPASSWD: ALL

with visudo and then sudo -u username bash is like su - username

Method 4

If you don’t have access to the root account, but have the password of the user you want to use to run a command, you can do the following.

  • This will ask you the toto’s password : su – toto -c whoami
  • This will not : ssh [email protected] whoami

Just install your public key in authorized_keys of toto

Method 5

My simple solution is:

sudo login -f martin-test

If you want to avoid sudo at all cost, I think it should be possible to put this in a script:

  1. owned by root and with root privileges (using the setuid flag)
  2. executable by everybody, also without any sudo.

However, I can’t figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:

#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test

I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line…


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x