Allow user1 to “su - user2” without password

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












44















I need to allow user martin to switch to user martin-test without password



su - martin-test


I think this can be configured in /etc/pam.d/su. There are already some lines in that file which can be uncommented. However, I don't like the idea of adding user martin to group wheel. I don't want to give martin any more privileges than to be able to switch to martin-test. I also do not want to use sudo.



What would be the best way to do it, while keeping the privileges of user martin minimal?






users password authentication pam







share|improve this question



















  • 2





    This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

    – jordanm
    Feb 5 '14 at 22:24






  • 3





    Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

    – drewbenn
    Feb 6 '14 at 1:08






  • 3





    @MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

    – Patrick
    Feb 12 '14 at 22:32







  • 1





    If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

    – Martin Vegter
    Feb 13 '14 at 10:47







  • 4





    @MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

    – Patrick
    Feb 13 '14 at 13:47
















44















I need to allow user martin to switch to user martin-test without password



su - martin-test


I think this can be configured in /etc/pam.d/su. There are already some lines in that file which can be uncommented. However, I don't like the idea of adding user martin to group wheel. I don't want to give martin any more privileges than to be able to switch to martin-test. I also do not want to use sudo.



What would be the best way to do it, while keeping the privileges of user martin minimal?






users password authentication pam







share|improve this question



















  • 2





    This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

    – jordanm
    Feb 5 '14 at 22:24






  • 3





    Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

    – drewbenn
    Feb 6 '14 at 1:08






  • 3





    @MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

    – Patrick
    Feb 12 '14 at 22:32







  • 1





    If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

    – Martin Vegter
    Feb 13 '14 at 10:47







  • 4





    @MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

    – Patrick
    Feb 13 '14 at 13:47














44












44








44


28






I need to allow user martin to switch to user martin-test without password



su - martin-test


I think this can be configured in /etc/pam.d/su. There are already some lines in that file which can be uncommented. However, I don't like the idea of adding user martin to group wheel. I don't want to give martin any more privileges than to be able to switch to martin-test. I also do not want to use sudo.



What would be the best way to do it, while keeping the privileges of user martin minimal?






users password authentication pam







share|improve this question
















I need to allow user martin to switch to user martin-test without password



su - martin-test


I think this can be configured in /etc/pam.d/su. There are already some lines in that file which can be uncommented. However, I don't like the idea of adding user martin to group wheel. I don't want to give martin any more privileges than to be able to switch to martin-test. I also do not want to use sudo.



What would be the best way to do it, while keeping the privileges of user martin minimal?






users password authentication pam




users password authentication pam






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 13 '14 at 4:26









Braiam

23.5k1977140




23.5k1977140










asked Feb 5 '14 at 21:26









Martin VegterMartin Vegter

24035125239




24035125239







  • 2





    This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

    – jordanm
    Feb 5 '14 at 22:24






  • 3





    Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

    – drewbenn
    Feb 6 '14 at 1:08






  • 3





    @MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

    – Patrick
    Feb 12 '14 at 22:32







  • 1





    If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

    – Martin Vegter
    Feb 13 '14 at 10:47







  • 4





    @MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

    – Patrick
    Feb 13 '14 at 13:47













  • 2





    This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

    – jordanm
    Feb 5 '14 at 22:24






  • 3





    Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

    – drewbenn
    Feb 6 '14 at 1:08






  • 3





    @MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

    – Patrick
    Feb 12 '14 at 22:32







  • 1





    If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

    – Martin Vegter
    Feb 13 '14 at 10:47







  • 4





    @MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

    – Patrick
    Feb 13 '14 at 13:47








2




2





This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

– jordanm
Feb 5 '14 at 22:24





This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

– jordanm
Feb 5 '14 at 22:24




3




3





Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

– drewbenn
Feb 6 '14 at 1:08





Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

– drewbenn
Feb 6 '14 at 1:08




3




3





@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

– Patrick
Feb 12 '14 at 22:32






@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

– Patrick
Feb 12 '14 at 22:32





1




1





If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

– Martin Vegter
Feb 13 '14 at 10:47






If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

– Martin Vegter
Feb 13 '14 at 10:47





4




4





@MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

– Patrick
Feb 13 '14 at 13:47






@MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

– Patrick
Feb 13 '14 at 13:47











4 Answers
4






active

oldest

votes


















54





+25









Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:



auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin


These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.



  • The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

  • The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:



auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople





share|improve this answer




















  • 1





    If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

    – shrimpwagon
    Aug 25 '15 at 21:08











  • @gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

    – saravanakumar
    May 26 '16 at 15:57











  • @GnP Please help me on askubuntu.com/questions/821793/…

    – Nullpointer
    Sep 6 '16 at 18:19











  • It would be nice to add info on how to apply the changes as well.

    – Kyslik
    Nov 14 '17 at 13:33











  • @Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

    – GnP
    Nov 14 '17 at 17:10



















12














If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.



Add a line in your /etc/pam.d/su after the pam_rootok.so line:



auth sufficient pam_exec.so quiet /path/to/script


/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:



#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi


So this script exists with success if su:



  • is called in context of authentication,

  • the calling user is martin and

  • the user to authenticate is martin-test.

See:



martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$





share|improve this answer




















  • 1





    pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

    – jsbillings
    Feb 6 '14 at 1:37






  • 1





    @jsbillings Would you make that (with some details) another answer?

    – Hauke Laging
    Feb 6 '14 at 6:06






  • 1





    how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

    – Martin Vegter
    Feb 6 '14 at 9:18






  • 3





    @jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

    – Patrick
    Feb 12 '14 at 22:28



















0














If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.



  • This will ask you the toto's password : su - toto -c whoami

  • This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...






share|improve this answer























  • Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

    – Raja Anbazhagan
    Aug 12 '15 at 11:31


















-1














My simple solution is:



sudo login -f martin-test


If you want to avoid sudo at all cost, I think it should be possible to put this in a script:



  1. owned by root and with root privileges (using the setuid flag)

  2. executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:



#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test


I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...






share|improve this answer























  • The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

    – David Tonhofer
    Jan 26 at 13:31












  • My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

    – Frank Nocke
    Jan 28 at 11:36










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f113754%2fallow-user1-to-su-user2-without-password%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























4 Answers
4






active

oldest

votes








4 Answers
4






active

oldest

votes









active

oldest

votes






active

oldest

votes









54





+25









Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:



auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin


These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.



  • The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

  • The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:



auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople





share|improve this answer




















  • 1





    If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

    – shrimpwagon
    Aug 25 '15 at 21:08











  • @gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

    – saravanakumar
    May 26 '16 at 15:57











  • @GnP Please help me on askubuntu.com/questions/821793/…

    – Nullpointer
    Sep 6 '16 at 18:19











  • It would be nice to add info on how to apply the changes as well.

    – Kyslik
    Nov 14 '17 at 13:33











  • @Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

    – GnP
    Nov 14 '17 at 17:10
















54





+25









Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:



auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin


These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.



  • The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

  • The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:



auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople





share|improve this answer




















  • 1





    If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

    – shrimpwagon
    Aug 25 '15 at 21:08











  • @gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

    – saravanakumar
    May 26 '16 at 15:57











  • @GnP Please help me on askubuntu.com/questions/821793/…

    – Nullpointer
    Sep 6 '16 at 18:19











  • It would be nice to add info on how to apply the changes as well.

    – Kyslik
    Nov 14 '17 at 13:33











  • @Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

    – GnP
    Nov 14 '17 at 17:10














54





+25







54





+25



54




+25





Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:



auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin


These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.



  • The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

  • The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:



auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople





share|improve this answer















Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:



auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin


These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.



  • The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

  • The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:



auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople






share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 25 at 23:19









David Tonhofer

525416




525416










answered Feb 13 '14 at 20:25









GnPGnP

1,5311011




1,5311011







  • 1





    If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

    – shrimpwagon
    Aug 25 '15 at 21:08











  • @gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

    – saravanakumar
    May 26 '16 at 15:57











  • @GnP Please help me on askubuntu.com/questions/821793/…

    – Nullpointer
    Sep 6 '16 at 18:19











  • It would be nice to add info on how to apply the changes as well.

    – Kyslik
    Nov 14 '17 at 13:33











  • @Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

    – GnP
    Nov 14 '17 at 17:10













  • 1





    If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

    – shrimpwagon
    Aug 25 '15 at 21:08











  • @gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

    – saravanakumar
    May 26 '16 at 15:57











  • @GnP Please help me on askubuntu.com/questions/821793/…

    – Nullpointer
    Sep 6 '16 at 18:19











  • It would be nice to add info on how to apply the changes as well.

    – Kyslik
    Nov 14 '17 at 13:33











  • @Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

    – GnP
    Nov 14 '17 at 17:10








1




1





If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08





If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08













@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57





@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57













@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19





@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19













It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33





It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33













@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10






@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10














12














If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.



Add a line in your /etc/pam.d/su after the pam_rootok.so line:



auth sufficient pam_exec.so quiet /path/to/script


/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:



#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi


So this script exists with success if su:



  • is called in context of authentication,

  • the calling user is martin and

  • the user to authenticate is martin-test.

See:



martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$





share|improve this answer




















  • 1





    pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

    – jsbillings
    Feb 6 '14 at 1:37






  • 1





    @jsbillings Would you make that (with some details) another answer?

    – Hauke Laging
    Feb 6 '14 at 6:06






  • 1





    how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

    – Martin Vegter
    Feb 6 '14 at 9:18






  • 3





    @jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

    – Patrick
    Feb 12 '14 at 22:28
















12














If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.



Add a line in your /etc/pam.d/su after the pam_rootok.so line:



auth sufficient pam_exec.so quiet /path/to/script


/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:



#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi


So this script exists with success if su:



  • is called in context of authentication,

  • the calling user is martin and

  • the user to authenticate is martin-test.

See:



martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$





share|improve this answer




















  • 1





    pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

    – jsbillings
    Feb 6 '14 at 1:37






  • 1





    @jsbillings Would you make that (with some details) another answer?

    – Hauke Laging
    Feb 6 '14 at 6:06






  • 1





    how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

    – Martin Vegter
    Feb 6 '14 at 9:18






  • 3





    @jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

    – Patrick
    Feb 12 '14 at 22:28














12












12








12







If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.



Add a line in your /etc/pam.d/su after the pam_rootok.so line:



auth sufficient pam_exec.so quiet /path/to/script


/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:



#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi


So this script exists with success if su:



  • is called in context of authentication,

  • the calling user is martin and

  • the user to authenticate is martin-test.

See:



martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$





share|improve this answer















If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.



Add a line in your /etc/pam.d/su after the pam_rootok.so line:



auth sufficient pam_exec.so quiet /path/to/script


/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:



#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi


So this script exists with success if su:



  • is called in context of authentication,

  • the calling user is martin and

  • the user to authenticate is martin-test.

See:



martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$






share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 5 '14 at 22:42

























answered Feb 5 '14 at 22:36









chaoschaos

35.5k773117




35.5k773117







  • 1





    pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

    – jsbillings
    Feb 6 '14 at 1:37






  • 1





    @jsbillings Would you make that (with some details) another answer?

    – Hauke Laging
    Feb 6 '14 at 6:06






  • 1





    how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

    – Martin Vegter
    Feb 6 '14 at 9:18






  • 3





    @jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

    – Patrick
    Feb 12 '14 at 22:28













  • 1





    pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

    – jsbillings
    Feb 6 '14 at 1:37






  • 1





    @jsbillings Would you make that (with some details) another answer?

    – Hauke Laging
    Feb 6 '14 at 6:06






  • 1





    how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

    – Martin Vegter
    Feb 6 '14 at 9:18






  • 3





    @jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

    – Patrick
    Feb 12 '14 at 22:28








1




1





pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37





pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37




1




1





@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06





@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06




1




1





how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18





how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18




3




3





@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28






@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28












0














If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.



  • This will ask you the toto's password : su - toto -c whoami

  • This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...






share|improve this answer























  • Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

    – Raja Anbazhagan
    Aug 12 '15 at 11:31















0














If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.



  • This will ask you the toto's password : su - toto -c whoami

  • This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...






share|improve this answer























  • Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

    – Raja Anbazhagan
    Aug 12 '15 at 11:31













0












0








0







If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.



  • This will ask you the toto's password : su - toto -c whoami

  • This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...






share|improve this answer













If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.



  • This will ask you the toto's password : su - toto -c whoami

  • This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 30 '15 at 16:00









PatrickPatrick

171




171












  • Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

    – Raja Anbazhagan
    Aug 12 '15 at 11:31

















  • Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

    – Raja Anbazhagan
    Aug 12 '15 at 11:31
















Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31





Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31











-1














My simple solution is:



sudo login -f martin-test


If you want to avoid sudo at all cost, I think it should be possible to put this in a script:



  1. owned by root and with root privileges (using the setuid flag)

  2. executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:



#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test


I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...






share|improve this answer























  • The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

    – David Tonhofer
    Jan 26 at 13:31












  • My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

    – Frank Nocke
    Jan 28 at 11:36















-1














My simple solution is:



sudo login -f martin-test


If you want to avoid sudo at all cost, I think it should be possible to put this in a script:



  1. owned by root and with root privileges (using the setuid flag)

  2. executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:



#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test


I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...






share|improve this answer























  • The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

    – David Tonhofer
    Jan 26 at 13:31












  • My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

    – Frank Nocke
    Jan 28 at 11:36













-1












-1








-1







My simple solution is:



sudo login -f martin-test


If you want to avoid sudo at all cost, I think it should be possible to put this in a script:



  1. owned by root and with root privileges (using the setuid flag)

  2. executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:



#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test


I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...






share|improve this answer













My simple solution is:



sudo login -f martin-test


If you want to avoid sudo at all cost, I think it should be possible to put this in a script:



  1. owned by root and with root privileges (using the setuid flag)

  2. executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:



#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test


I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...







share|improve this answer












share|improve this answer



share|improve this answer










answered Oct 28 '16 at 5:29









Frank NockeFrank Nocke

17415




17415












  • The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

    – David Tonhofer
    Jan 26 at 13:31












  • My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

    – Frank Nocke
    Jan 28 at 11:36

















  • The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

    – David Tonhofer
    Jan 26 at 13:31












  • My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

    – Frank Nocke
    Jan 28 at 11:36
















The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31






The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31














My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36





My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f113754%2fallow-user1-to-su-user2-without-password%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






-

Popular posts from this blog

How to check contact read email or not when send email to Individual?

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
Read more

Displaying single band from multi-band raster using QGIS

Image
Clash Royale CLAN TAG #URR8PPP 1 How can I extract a single band from multi-band raster in QGIS? I have an remote sensed image which has 6 bands (including NDVI band), I want to display each band separately, but have no idea how to do. I have seen some questions similar here but none worked for me. The original image (has 6 bands) is: I want to display the band 6 which should be like this: But I tried gdal_translate, and couldn't get the correct result. What I have got is: qgis raster multi-band share | improve this question edited Mar 5 at 0:53 Summer asked Mar 4 at 6:42 Summer Summer 23 6 Is this any help gis.stackexchange.com/questions/220658/… ? if not gis.stackexchange.com/questions/62133/… might help. – Michael Stimson Mar 4 at 6:46 Thanks for answering but when I used gdal_translate, qgis showed that 'Error 4: Kayena.tif: No such file or directory". Would you know how to fix it? –
Read more

How many registers does an x86_64 CPU actually have?

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite I am currently learning reverse engineering and am studying the flags register. I had in my mind that rflags was just another name for one of the 16 general purpose registers, for example rax or rbx . But it looks like rflags is actually an additional register. So that makes 17 registers in total... how many more could there be? I have spent at least an hour on this and found numerous different answers. The best answer so far is this, which says that there are 40 registers in total. 16 General Purpose Registers 2 Status Registers 6 Code Segment Registers 16 SSE Registers 8 FPU/MMX Registers But if I add that up, I get 48. Could anybody provide an official answer on how many registers an x86_64 CPU has (e.g. an Intel i7). Additionally, I have seen references to 'hardware' and 'architectural' registers. What are those registers and how many are there? register x86-64 share | improve this
Read more