Allow user1 to “su - user2” without password

I need to allow user martin to switch to user martin-test without password

su - martin-test

I think this can be configured in /etc/pam.d/su. There are already some lines in that file which can be uncommented. However, I don't like the idea of adding user martin to group wheel. I don't want to give martin any more privileges than to be able to switch to martin-test. I also do not want to use sudo.

What would be the best way to do it, while keeping the privileges of user martin minimal?

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

2

This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

– jordanm
Feb 5 '14 at 22:24

3

Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

– drewbenn
Feb 6 '14 at 1:08

3

@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

– Patrick
Feb 12 '14 at 22:32

1

If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

– Martin Vegter
Feb 13 '14 at 10:47

4

@MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

– Patrick
Feb 13 '14 at 13:47

|
show 5 more comments

I need to allow user martin to switch to user martin-test without password

su - martin-test

What would be the best way to do it, while keeping the privileges of user martin minimal?

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

2

This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

– jordanm
Feb 5 '14 at 22:24

3

Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

– drewbenn
Feb 6 '14 at 1:08

3

@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

– Patrick
Feb 12 '14 at 22:32

1

If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

– Martin Vegter
Feb 13 '14 at 10:47

4

@MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

– Patrick
Feb 13 '14 at 13:47

|
show 5 more comments

I need to allow user martin to switch to user martin-test without password

su - martin-test

What would be the best way to do it, while keeping the privileges of user martin minimal?

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

I need to allow user martin to switch to user martin-test without password

su - martin-test

What would be the best way to do it, while keeping the privileges of user martin minimal?

users password authentication pam

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

edited Feb 13 '14 at 4:26

Braiam

23.5k1977140

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

asked Feb 5 '14 at 21:26

Martin Vegter

24035125239

2

This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

– jordanm
Feb 5 '14 at 22:24

3

Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

– drewbenn
Feb 6 '14 at 1:08

3

@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

– Patrick
Feb 12 '14 at 22:32

1

If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

– Martin Vegter
Feb 13 '14 at 10:47

4

@MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

– Patrick
Feb 13 '14 at 13:47

|
show 5 more comments

2

This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

– jordanm
Feb 5 '14 at 22:24

3

Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

– drewbenn
Feb 6 '14 at 1:08

3

@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

– Patrick
Feb 12 '14 at 22:32

1

If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

– Martin Vegter
Feb 13 '14 at 10:47

4

@MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

– Patrick
Feb 13 '14 at 13:47

This is easier to do with sudo eg sudo -u martin-test -i. Is there a reason you are asking specifically about su?

– jordanm
Feb 5 '14 at 22:24

Do you have to use su, or is ssh martin-test@localhost okay (using a keypair or maybe .shosts for password-less authentication)?

– drewbenn
Feb 6 '14 at 1:08

@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what sudo was meant for. Aside from not normally using it, what are the objections?

– Patrick
Feb 12 '14 at 22:32

If a clean solution is possible with pam, I would prefer that over sudo. If sudo is the only possibility, than that is fine as well. My objections to sudo are mostly ideological: I don't like the idea of user doing administration with sudo foo. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have pam infrastructure installed. I don't want to install another setuid program which can possibly introduce security bugs.

– Martin Vegter
Feb 13 '14 at 10:47

@MartinVegter You don't have to do sudo foo for specific commands. Sudo has sudo -s which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, far more than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run everything as root. If any one of those things (such as a simple ls) has a security vulnerability, then you've just opened a security hole.

– Patrick
Feb 13 '14 at 13:47

|
show 5 more comments

4 Answers
4

active

oldest

votes

+25

Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:

auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

edited Jan 25 at 23:19

David Tonhofer

525416

answered Feb 13 '14 at 20:25

GnP

1,5311011

1

If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08

@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57

@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19

It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33

@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10

|
show 3 more comments

If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi

So this script exists with success if su:

is called in context of authentication,

the calling user is martin and

the user to authenticate is martin-test.

See:

martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$

edited Feb 5 '14 at 22:42

answered Feb 5 '14 at 22:36

chaos

35.5k773117

1

pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37

1

@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06

1

how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18

3

@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28

add a comment |

If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.

This will ask you the toto's password : su - toto -c whoami

This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...

answered Mar 30 '15 at 16:00

Patrick

171

Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31

add a comment |

-1

My simple solution is:

sudo login -f martin-test

If you want to avoid sudo at all cost, I think it should be possible to put this in a script:

owned by root and with root privileges (using the setuid flag)

executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:

#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test

I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...

answered Oct 28 '16 at 5:29

Frank Nocke

17415

The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31

My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36

add a comment |

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f113754%2fallow-user1-to-su-user2-without-password%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

4 Answers
4

active

oldest

votes

4 Answers
4

active

oldest

votes

+25

Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:

auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

edited Jan 25 at 23:19

David Tonhofer

525416

answered Feb 13 '14 at 20:25

GnP

1,5311011

1

If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08

@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57

@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19

It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33

@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10

|
show 3 more comments

+25

Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:

auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

edited Jan 25 at 23:19

David Tonhofer

525416

answered Feb 13 '14 at 20:25

GnP

1,5311011

1

If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08

@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57

@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19

It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33

@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10

|
show 3 more comments

+25

Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:

auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

edited Jan 25 at 23:19

David Tonhofer

525416

answered Feb 13 '14 at 20:25

GnP

1,5311011

Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:

auth [success=ignore default=1] pam_succeed_if.so user = martin-test
auth sufficient pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

The first line checks whether the target user is martin-test. If it is, nothing happens (success=ignore) and we continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we continue on subsequent lines with the usual authentication steps.

The second line checks whether the current user is martin. If it is, the system considers the authentication process as successful and returns (sufficient). If it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

edited Jan 25 at 23:19

David Tonhofer

525416

answered Feb 13 '14 at 20:25

GnP

1,5311011

edited Jan 25 at 23:19

David Tonhofer

525416

edited Jan 25 at 23:19

David Tonhofer

525416

edited Jan 25 at 23:19

David Tonhofer

525416

answered Feb 13 '14 at 20:25

GnP

1,5311011

answered Feb 13 '14 at 20:25

GnP

1,5311011

answered Feb 13 '14 at 20:25

GnP

1,5311011

1

If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08

@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57

@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19

It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33

@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10

|
show 3 more comments

1

If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08

@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57

@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19

It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33

@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10

If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP

– shrimpwagon
Aug 25 '15 at 21:08

@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!!

– saravanakumar
May 26 '16 at 15:57

@GnP Please help me on askubuntu.com/questions/821793/…

– Nullpointer
Sep 6 '16 at 18:19

It would be nice to add info on how to apply the changes as well.

– Kyslik
Nov 14 '17 at 13:33

@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ...

– GnP
Nov 14 '17 at 17:10

|
show 3 more comments

If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi

So this script exists with success if su:

is called in context of authentication,

the calling user is martin and

the user to authenticate is martin-test.

See:

martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$

edited Feb 5 '14 at 22:42

answered Feb 5 '14 at 22:36

chaos

35.5k773117

1

pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37

1

@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06

1

how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18

3

@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28

add a comment |

If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi

So this script exists with success if su:

is called in context of authentication,

the calling user is martin and

the user to authenticate is martin-test.

See:

martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$

edited Feb 5 '14 at 22:42

answered Feb 5 '14 at 22:36

chaos

35.5k773117

1

pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37

1

@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06

1

how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18

3

@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28

add a comment |

If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi

So this script exists with success if su:

is called in context of authentication,

the calling user is martin and

the user to authenticate is martin-test.

See:

martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$

edited Feb 5 '14 at 22:42

answered Feb 5 '14 at 22:36

chaos

35.5k773117

If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && 
[ "$PAM_USER" == "martin-test" ] && 
[ "$PAM_RUSER" == "martin" ]; then
 exit 0
else
 exit 1
fi

So this script exists with success if su:

is called in context of authentication,

the calling user is martin and

the user to authenticate is martin-test.

See:

martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$

edited Feb 5 '14 at 22:42

answered Feb 5 '14 at 22:36

chaos

35.5k773117

edited Feb 5 '14 at 22:42

answered Feb 5 '14 at 22:36

chaos

35.5k773117

answered Feb 5 '14 at 22:36

chaos

35.5k773117

answered Feb 5 '14 at 22:36

chaos

35.5k773117

1

pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37

1

@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06

1

how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18

3

@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28

add a comment |

1

pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37

1

@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06

1

how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18

3

@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28

pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do)

– jsbillings
Feb 6 '14 at 1:37

@jsbillings Would you make that (with some details) another answer?

– Hauke Laging
Feb 6 '14 at 6:06

how would I need to modify my /etc/pam.d/su to make use of pam_access for my situation?

– Martin Vegter
Feb 6 '14 at 9:18

@jsbillings Actually pam_access can't do this. When su is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as + : martin : ALL, it will allow anyone changing to martin. Even if you change martin to martin-test, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what sudo is for...

– Patrick
Feb 12 '14 at 22:28

add a comment |

If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.

This will ask you the toto's password : su - toto -c whoami

This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...

answered Mar 30 '15 at 16:00

Patrick

171

Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31

add a comment |

If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.

This will ask you the toto's password : su - toto -c whoami

This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...

answered Mar 30 '15 at 16:00

Patrick

171

Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31

add a comment |

If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.

This will ask you the toto's password : su - toto -c whoami

This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...

answered Mar 30 '15 at 16:00

Patrick

171

If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.

This will ask you the toto's password : su - toto -c whoami

This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

Hope this can help ...

answered Mar 30 '15 at 16:00

Patrick

171

answered Mar 30 '15 at 16:00

Patrick

171

answered Mar 30 '15 at 16:00

Patrick

171

answered Mar 30 '15 at 16:00

Patrick

171

Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31

add a comment |

Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31

Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server.

– Raja Anbazhagan
Aug 12 '15 at 11:31

add a comment |

-1

My simple solution is:

sudo login -f martin-test

If you want to avoid sudo at all cost, I think it should be possible to put this in a script:

owned by root and with root privileges (using the setuid flag)

executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:

#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test

I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...

answered Oct 28 '16 at 5:29

Frank Nocke

17415

The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31

My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36

add a comment |

-1

My simple solution is:

sudo login -f martin-test

If you want to avoid sudo at all cost, I think it should be possible to put this in a script:

owned by root and with root privileges (using the setuid flag)

executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:

#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test

I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...

answered Oct 28 '16 at 5:29

Frank Nocke

17415

The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31

My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36

add a comment |

-1

My simple solution is:

sudo login -f martin-test

If you want to avoid sudo at all cost, I think it should be possible to put this in a script:

owned by root and with root privileges (using the setuid flag)

executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:

#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test

I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...

answered Oct 28 '16 at 5:29

Frank Nocke

17415

My simple solution is:

sudo login -f martin-test

If you want to avoid sudo at all cost, I think it should be possible to put this in a script:

owned by root and with root privileges (using the setuid flag)

executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:

#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test

I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...

answered Oct 28 '16 at 5:29

Frank Nocke

17415

answered Oct 28 '16 at 5:29

Frank Nocke

17415

answered Oct 28 '16 at 5:29

Frank Nocke

17415

answered Oct 28 '16 at 5:29

Frank Nocke

17415

The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31

My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36

add a comment |

The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31

My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36

The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where bash is, why do you assume you know where env is or whether it even exists?). But in the end, you don't know what bash this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override whoami...

– David Tonhofer
Jan 26 at 13:31

My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations.

– Frank Nocke
Jan 28 at 11:36

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Unix & Linux Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

搜尋此網誌

mjhjmtu