How a non-root user sudo to another non-root user without password?
As root, created a new non-root user on RHEL 7.5
appuser:x:1903:1903:appuser:/home/appuser:/bin/bash
A non-root user to be able to sudo to appuser
,
sudo -u appuser
without a password,
What are the changes required on RHEL 7.5?
linux rhel sudo users
add a comment |
As root, created a new non-root user on RHEL 7.5
appuser:x:1903:1903:appuser:/home/appuser:/bin/bash
A non-root user to be able to sudo to appuser
,
sudo -u appuser
without a password,
What are the changes required on RHEL 7.5?
linux rhel sudo users
Thatsudo su - appuser
is a horrendous security breach: you're giving full root access to the user who has permission to do that. Instead, just give the account permission to get toappuser
, so they wouldsudo -su appuser
(here,-su
is two flags,-s -u
). No need for thesu
command anywhere.
– roaima
Oct 29 '18 at 15:01
@roaima Query edited.sudo -u syslog
does not work. It asks for the password for current user
– overexchange
Oct 29 '18 at 15:05
Of course it does. That's whatsudo
does.
– roaima
Oct 29 '18 at 15:28
add a comment |
As root, created a new non-root user on RHEL 7.5
appuser:x:1903:1903:appuser:/home/appuser:/bin/bash
A non-root user to be able to sudo to appuser
,
sudo -u appuser
without a password,
What are the changes required on RHEL 7.5?
linux rhel sudo users
As root, created a new non-root user on RHEL 7.5
appuser:x:1903:1903:appuser:/home/appuser:/bin/bash
A non-root user to be able to sudo to appuser
,
sudo -u appuser
without a password,
What are the changes required on RHEL 7.5?
linux rhel sudo users
linux rhel sudo users
edited Oct 29 '18 at 15:06
overexchange
asked Oct 29 '18 at 14:58
overexchangeoverexchange
360517
360517
Thatsudo su - appuser
is a horrendous security breach: you're giving full root access to the user who has permission to do that. Instead, just give the account permission to get toappuser
, so they wouldsudo -su appuser
(here,-su
is two flags,-s -u
). No need for thesu
command anywhere.
– roaima
Oct 29 '18 at 15:01
@roaima Query edited.sudo -u syslog
does not work. It asks for the password for current user
– overexchange
Oct 29 '18 at 15:05
Of course it does. That's whatsudo
does.
– roaima
Oct 29 '18 at 15:28
add a comment |
Thatsudo su - appuser
is a horrendous security breach: you're giving full root access to the user who has permission to do that. Instead, just give the account permission to get toappuser
, so they wouldsudo -su appuser
(here,-su
is two flags,-s -u
). No need for thesu
command anywhere.
– roaima
Oct 29 '18 at 15:01
@roaima Query edited.sudo -u syslog
does not work. It asks for the password for current user
– overexchange
Oct 29 '18 at 15:05
Of course it does. That's whatsudo
does.
– roaima
Oct 29 '18 at 15:28
That
sudo su - appuser
is a horrendous security breach: you're giving full root access to the user who has permission to do that. Instead, just give the account permission to get to appuser
, so they would sudo -su appuser
(here, -su
is two flags, -s -u
). No need for the su
command anywhere.– roaima
Oct 29 '18 at 15:01
That
sudo su - appuser
is a horrendous security breach: you're giving full root access to the user who has permission to do that. Instead, just give the account permission to get to appuser
, so they would sudo -su appuser
(here, -su
is two flags, -s -u
). No need for the su
command anywhere.– roaima
Oct 29 '18 at 15:01
@roaima Query edited.
sudo -u syslog
does not work. It asks for the password for current user– overexchange
Oct 29 '18 at 15:05
@roaima Query edited.
sudo -u syslog
does not work. It asks for the password for current user– overexchange
Oct 29 '18 at 15:05
Of course it does. That's what
sudo
does.– roaima
Oct 29 '18 at 15:28
Of course it does. That's what
sudo
does.– roaima
Oct 29 '18 at 15:28
add a comment |
1 Answer
1
active
oldest
votes
You can edit the "User privilege specification" section of /etc/sudoers
, adding:
non-root-user ALL = (appuser) NOPASSWD: ALL
This will allow non-root-user
to run all commands as appuser
. non-root-user
will not be allowed to run commands as root.
Note that errors in /etc/sudoers
can make a system unusable. The file should only be edited with:
$ sudo visudo
This special editor checks the sudoers
file for errors before saving and refuses to save it if errors are found.
But-r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers
. Do you think this is customised permision?
– overexchange
Oct 29 '18 at 15:50
E45 error on modifying the file with vi editor
– overexchange
Oct 29 '18 at 16:30
It looks like-r--r-----
is the standard file mode for/etc/sudoers
. Refer to my edited answer for how to edit it.
– fra-san
Oct 29 '18 at 17:18
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f478460%2fhow-a-non-root-user-sudo-to-another-non-root-user-without-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can edit the "User privilege specification" section of /etc/sudoers
, adding:
non-root-user ALL = (appuser) NOPASSWD: ALL
This will allow non-root-user
to run all commands as appuser
. non-root-user
will not be allowed to run commands as root.
Note that errors in /etc/sudoers
can make a system unusable. The file should only be edited with:
$ sudo visudo
This special editor checks the sudoers
file for errors before saving and refuses to save it if errors are found.
But-r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers
. Do you think this is customised permision?
– overexchange
Oct 29 '18 at 15:50
E45 error on modifying the file with vi editor
– overexchange
Oct 29 '18 at 16:30
It looks like-r--r-----
is the standard file mode for/etc/sudoers
. Refer to my edited answer for how to edit it.
– fra-san
Oct 29 '18 at 17:18
add a comment |
You can edit the "User privilege specification" section of /etc/sudoers
, adding:
non-root-user ALL = (appuser) NOPASSWD: ALL
This will allow non-root-user
to run all commands as appuser
. non-root-user
will not be allowed to run commands as root.
Note that errors in /etc/sudoers
can make a system unusable. The file should only be edited with:
$ sudo visudo
This special editor checks the sudoers
file for errors before saving and refuses to save it if errors are found.
But-r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers
. Do you think this is customised permision?
– overexchange
Oct 29 '18 at 15:50
E45 error on modifying the file with vi editor
– overexchange
Oct 29 '18 at 16:30
It looks like-r--r-----
is the standard file mode for/etc/sudoers
. Refer to my edited answer for how to edit it.
– fra-san
Oct 29 '18 at 17:18
add a comment |
You can edit the "User privilege specification" section of /etc/sudoers
, adding:
non-root-user ALL = (appuser) NOPASSWD: ALL
This will allow non-root-user
to run all commands as appuser
. non-root-user
will not be allowed to run commands as root.
Note that errors in /etc/sudoers
can make a system unusable. The file should only be edited with:
$ sudo visudo
This special editor checks the sudoers
file for errors before saving and refuses to save it if errors are found.
You can edit the "User privilege specification" section of /etc/sudoers
, adding:
non-root-user ALL = (appuser) NOPASSWD: ALL
This will allow non-root-user
to run all commands as appuser
. non-root-user
will not be allowed to run commands as root.
Note that errors in /etc/sudoers
can make a system unusable. The file should only be edited with:
$ sudo visudo
This special editor checks the sudoers
file for errors before saving and refuses to save it if errors are found.
edited Mar 3 at 20:36
answered Oct 29 '18 at 15:27
fra-sanfra-san
1,8771620
1,8771620
But-r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers
. Do you think this is customised permision?
– overexchange
Oct 29 '18 at 15:50
E45 error on modifying the file with vi editor
– overexchange
Oct 29 '18 at 16:30
It looks like-r--r-----
is the standard file mode for/etc/sudoers
. Refer to my edited answer for how to edit it.
– fra-san
Oct 29 '18 at 17:18
add a comment |
But-r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers
. Do you think this is customised permision?
– overexchange
Oct 29 '18 at 15:50
E45 error on modifying the file with vi editor
– overexchange
Oct 29 '18 at 16:30
It looks like-r--r-----
is the standard file mode for/etc/sudoers
. Refer to my edited answer for how to edit it.
– fra-san
Oct 29 '18 at 17:18
But
-r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers
. Do you think this is customised permision?– overexchange
Oct 29 '18 at 15:50
But
-r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers
. Do you think this is customised permision?– overexchange
Oct 29 '18 at 15:50
E45 error on modifying the file with vi editor
– overexchange
Oct 29 '18 at 16:30
E45 error on modifying the file with vi editor
– overexchange
Oct 29 '18 at 16:30
It looks like
-r--r-----
is the standard file mode for /etc/sudoers
. Refer to my edited answer for how to edit it.– fra-san
Oct 29 '18 at 17:18
It looks like
-r--r-----
is the standard file mode for /etc/sudoers
. Refer to my edited answer for how to edit it.– fra-san
Oct 29 '18 at 17:18
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f478460%2fhow-a-non-root-user-sudo-to-another-non-root-user-without-password%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
That
sudo su - appuser
is a horrendous security breach: you're giving full root access to the user who has permission to do that. Instead, just give the account permission to get toappuser
, so they wouldsudo -su appuser
(here,-su
is two flags,-s -u
). No need for thesu
command anywhere.– roaima
Oct 29 '18 at 15:01
@roaima Query edited.
sudo -u syslog
does not work. It asks for the password for current user– overexchange
Oct 29 '18 at 15:05
Of course it does. That's what
sudo
does.– roaima
Oct 29 '18 at 15:28