Switch user and elevate to root as a single action?
I have a system that is setup to require a password both to elevate to root, and to switch to the only user that can do so, so currently if I need to do something as root from another account I would do the following:
su admin
sudo su
The problem with this is that it requires me to enter my password twice, and since my admin account's password is long that makes it prone to mistakes.
What I'm wondering is, assuming the basic setup cannot be changed (i.e- no passwordless sudo etc.), is there a way to combine both commands so that I can only have to enter my password once?
sudo login su
add a comment |
I have a system that is setup to require a password both to elevate to root, and to switch to the only user that can do so, so currently if I need to do something as root from another account I would do the following:
su admin
sudo su
The problem with this is that it requires me to enter my password twice, and since my admin account's password is long that makes it prone to mistakes.
What I'm wondering is, assuming the basic setup cannot be changed (i.e- no passwordless sudo etc.), is there a way to combine both commands so that I can only have to enter my password once?
sudo login su
2
I know of no way to solve your requirement directly. I would ask though what extra security you think this gains you over a strong(er) password for your usual account and direct access to root usingsudo -s.
– roaima
Dec 29 '17 at 10:40
2
You could run the wholesu+sudo+following shell setup insideexpect, and use it to programmatically enter the password, but that's a bit of a horrible way to process passwords.
– ilkkachu
Dec 29 '17 at 12:21
@roaima: It's not so much about the security as about convenience; the system in question is macOS, but it could apply to any unix-y system really, where I would prefer to keep root access locked down to a single, probably over-secured account, because it lets me use easier to enter (not necessarily weak) passwords for other accounts, and forces me to stop and think more whenever I do anything with root access. For that reason I like that I still have to enter it under my admin account on occasions where I do use it directly, but when switching in from another account it's a pain.
– Haravikk
Dec 30 '17 at 11:40
add a comment |
I have a system that is setup to require a password both to elevate to root, and to switch to the only user that can do so, so currently if I need to do something as root from another account I would do the following:
su admin
sudo su
The problem with this is that it requires me to enter my password twice, and since my admin account's password is long that makes it prone to mistakes.
What I'm wondering is, assuming the basic setup cannot be changed (i.e- no passwordless sudo etc.), is there a way to combine both commands so that I can only have to enter my password once?
sudo login su
I have a system that is setup to require a password both to elevate to root, and to switch to the only user that can do so, so currently if I need to do something as root from another account I would do the following:
su admin
sudo su
The problem with this is that it requires me to enter my password twice, and since my admin account's password is long that makes it prone to mistakes.
What I'm wondering is, assuming the basic setup cannot be changed (i.e- no passwordless sudo etc.), is there a way to combine both commands so that I can only have to enter my password once?
sudo login su
sudo login su
asked Dec 29 '17 at 9:46
HaravikkHaravikk
3191416
3191416
2
I know of no way to solve your requirement directly. I would ask though what extra security you think this gains you over a strong(er) password for your usual account and direct access to root usingsudo -s.
– roaima
Dec 29 '17 at 10:40
2
You could run the wholesu+sudo+following shell setup insideexpect, and use it to programmatically enter the password, but that's a bit of a horrible way to process passwords.
– ilkkachu
Dec 29 '17 at 12:21
@roaima: It's not so much about the security as about convenience; the system in question is macOS, but it could apply to any unix-y system really, where I would prefer to keep root access locked down to a single, probably over-secured account, because it lets me use easier to enter (not necessarily weak) passwords for other accounts, and forces me to stop and think more whenever I do anything with root access. For that reason I like that I still have to enter it under my admin account on occasions where I do use it directly, but when switching in from another account it's a pain.
– Haravikk
Dec 30 '17 at 11:40
add a comment |
2
I know of no way to solve your requirement directly. I would ask though what extra security you think this gains you over a strong(er) password for your usual account and direct access to root usingsudo -s.
– roaima
Dec 29 '17 at 10:40
2
You could run the wholesu+sudo+following shell setup insideexpect, and use it to programmatically enter the password, but that's a bit of a horrible way to process passwords.
– ilkkachu
Dec 29 '17 at 12:21
@roaima: It's not so much about the security as about convenience; the system in question is macOS, but it could apply to any unix-y system really, where I would prefer to keep root access locked down to a single, probably over-secured account, because it lets me use easier to enter (not necessarily weak) passwords for other accounts, and forces me to stop and think more whenever I do anything with root access. For that reason I like that I still have to enter it under my admin account on occasions where I do use it directly, but when switching in from another account it's a pain.
– Haravikk
Dec 30 '17 at 11:40
2
2
I know of no way to solve your requirement directly. I would ask though what extra security you think this gains you over a strong(er) password for your usual account and direct access to root using
sudo -s.– roaima
Dec 29 '17 at 10:40
I know of no way to solve your requirement directly. I would ask though what extra security you think this gains you over a strong(er) password for your usual account and direct access to root using
sudo -s.– roaima
Dec 29 '17 at 10:40
2
2
You could run the whole
su+sudo+following shell setup inside expect, and use it to programmatically enter the password, but that's a bit of a horrible way to process passwords.– ilkkachu
Dec 29 '17 at 12:21
You could run the whole
su+sudo+following shell setup inside expect, and use it to programmatically enter the password, but that's a bit of a horrible way to process passwords.– ilkkachu
Dec 29 '17 at 12:21
@roaima: It's not so much about the security as about convenience; the system in question is macOS, but it could apply to any unix-y system really, where I would prefer to keep root access locked down to a single, probably over-secured account, because it lets me use easier to enter (not necessarily weak) passwords for other accounts, and forces me to stop and think more whenever I do anything with root access. For that reason I like that I still have to enter it under my admin account on occasions where I do use it directly, but when switching in from another account it's a pain.
– Haravikk
Dec 30 '17 at 11:40
@roaima: It's not so much about the security as about convenience; the system in question is macOS, but it could apply to any unix-y system really, where I would prefer to keep root access locked down to a single, probably over-secured account, because it lets me use easier to enter (not necessarily weak) passwords for other accounts, and forces me to stop and think more whenever I do anything with root access. For that reason I like that I still have to enter it under my admin account on occasions where I do use it directly, but when switching in from another account it's a pain.
– Haravikk
Dec 30 '17 at 11:40
add a comment |
1 Answer
1
active
oldest
votes
Set the complex password on the root account. Configure sudo with the rootpw option to require root's password instead of the initiator's password.
Then use sudo -s from your standard account to get root access.
You get your "simple" password for daily use but the more complex one - once - for root access.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f413631%2fswitch-user-and-elevate-to-root-as-a-single-action%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Set the complex password on the root account. Configure sudo with the rootpw option to require root's password instead of the initiator's password.
Then use sudo -s from your standard account to get root access.
You get your "simple" password for daily use but the more complex one - once - for root access.
add a comment |
Set the complex password on the root account. Configure sudo with the rootpw option to require root's password instead of the initiator's password.
Then use sudo -s from your standard account to get root access.
You get your "simple" password for daily use but the more complex one - once - for root access.
add a comment |
Set the complex password on the root account. Configure sudo with the rootpw option to require root's password instead of the initiator's password.
Then use sudo -s from your standard account to get root access.
You get your "simple" password for daily use but the more complex one - once - for root access.
Set the complex password on the root account. Configure sudo with the rootpw option to require root's password instead of the initiator's password.
Then use sudo -s from your standard account to get root access.
You get your "simple" password for daily use but the more complex one - once - for root access.
answered Dec 30 '17 at 11:56
roaimaroaima
44.7k655121
44.7k655121
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f413631%2fswitch-user-and-elevate-to-root-as-a-single-action%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
I know of no way to solve your requirement directly. I would ask though what extra security you think this gains you over a strong(er) password for your usual account and direct access to root using
sudo -s.– roaima
Dec 29 '17 at 10:40
2
You could run the whole
su+sudo+following shell setup insideexpect, and use it to programmatically enter the password, but that's a bit of a horrible way to process passwords.– ilkkachu
Dec 29 '17 at 12:21
@roaima: It's not so much about the security as about convenience; the system in question is macOS, but it could apply to any unix-y system really, where I would prefer to keep root access locked down to a single, probably over-secured account, because it lets me use easier to enter (not necessarily weak) passwords for other accounts, and forces me to stop and think more whenever I do anything with root access. For that reason I like that I still have to enter it under my admin account on occasions where I do use it directly, but when switching in from another account it's a pain.
– Haravikk
Dec 30 '17 at 11:40