how to restrict users switching from su command - switch-statement

How can I restrict users switching by su command..? suppose there are 3 users (root,user1 and user2)
only root and user1 can switch by using su command. root or user1 should not be able to switch to user 2 by using su command.
root su - user1 ----- ok
sudo su - (from user1 )--------- ok
root su - user2 ------ should be blocked
sudo su - user 2 (frm user 1) ------------ should be blocked
How can I do this
OS is RHEL 7

Related

How to switch from user 1 to user 2 and run some commands in linux?

I need to make a bash script to swith from user 1 to user 2 at system start up in linux and run the script to execute a command. I want this all happens without asking me the password of user 2.. Just to turn on the pc and login with usr 1 and everthing then run automatically.
Using sudo command, add the following to your sudoers file (using visudo command) :
user1 ALL=(user2) NOPASSWD: ALL
This allows the user user1 to run any command with the identity user2 using sudo command and without any password authentication. For instance :
user1$ sudo -u user2 whoami
user2
You can reduce the set of commands by listing the allowed commands instead of the "ALL" keyword in sudoers :
user1 ALL=(user2) NOPASSWD: /usr/bin/whoami, /bin/ls
You need the script itself to dynamically switch users and run commands?
Store those commands in another script and run that as user2.
echo "command1; command2; etc;">/tmp/file2run
sudo -u user2 bash /tmp/file2run
You can achieve this using here document as well
su user1 - <<END
id
## Do some user1 related activities
END
su user2 - << END
id
## Do some user2 related activities
END
su user1 - <<END
id
## continue user1 related activities
END
if user1 can access user2 without password, then you can put user2 here doc inside user1 here doc and make sure to use different delimiter if you are using nested here doc approach.

sudo su to an other user to run script

I am trying to login as USER1 and switch user to USER2 and execute some scripts (100+ scripts, can't list them all out in the sudoer file one by one) as USER2
in the Sudoer file i have
USER1 ALL=(USER2) NOPASSWD: ALL
When i run the following as USER1
sudo su - USER2 -c "test.sh"
I get
Sorry, user USER1 is not allowed to execute '/bin/su - USER2 -c
test.sh' as root
if i run
sudo su - sassrv
I get
Sorry, user USER1 is not allowed to execute '/bin/su - USER2'
If i change the Sudoer file to
USER1 ALL=(ALL) NOPASSWD: /bin/su - USER2
It will let me switch user, but i am still getting
Sorry, user USER1 is not allowed to execute '/bin/su - USER2 -c
test.sh' as root
How can i achieve this?
You wanted to run test.sh as USER2 with sudo, but instead you run su as root.
su may in turn try to run test.sh as USER2, but that's beyond the scope and knowledge of sudo. From sudo's point of view, the only thing you're doing is trying to run a command as root.
Instead, ask sudo to run test.sh as USER2 directly:
sudo -u USER2 test.sh
PS: sudo su in any context is a code smell that indicates a lack of understanding of what sudo is and does.

Unable to run Ansible with sudo user

We have a user userA on the server which has access to sudo. I can login into the server and run sudo su - userA to switch to new user. However if I use Ansible, it is throwing me below error:
fatal: [node1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to node1 closed.\r\n", "module_stdout": "\r\nSorry, user abc is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-pzwmlpcvzvwafleunmvpwioi; /usr/bin/python /var/tmp/ansible-tmp-1533926060.36-184244176073120/setup.py' as userA on node1.\r\n", "msg": "MODULE FAILURE", "rc": 1}
Ansible file:
---
- hosts: all
become: yes
become_user: userA
become_method: sudo
tasks:
- name: Create file
command: touch /home/userA/testing
We don't have access to sudoers file. Is there a way to fix this without changing sudoers file?
I depends... If the sudoers configuration permits running /usr/bin/su - userA* (with a wildcard at the end allowing for the -c argument), then you can add become-configuration to your task in the following way:
- name: Create file
command: touch /home/userA/testing
vars:
ansible_become: true
ansible_become_method: su
ansible_become_user: userA
ansible_become_exe: 'sudo -p "Password: " su -'
If the password is required by sudoers, you must run ansible-playbook with --ask-become-pass (-K) option and connecting user's password (as for sudo).
First three parameters can be written directly as parameters to the task / play.
Otherwise you are probably destined for running expect module (likely on the controller machine) with all the drawbacks.
you can SetUID chmod u+s file on the files you want to run with UserA from userB. For Example, /usr/bin/passwd is a root file which has SetUID, so, any user can change its own passwd (using passwd command) while running the /usr/bin/passwd as root.
ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd
passwd
Changing password for user user.
Changing password for user.
(current) UNIX password:

Simulate permissions for non-login user

I want to perform some actions on behalf of some non-login users, such as e.g. www-data or uwsgi. My purpose is to test some permissions, check what dirs they can modify etc etc.
Is there a recommended way of going about this, other than creating a shell and password for them and su ?
edit:
When I try to su to the specific user with sudo:
admin#ip-192-10-30-111:~$ sudo su www-data
This account is currently not available.
admin#ip-192-10-30-111:~$ cat /etc/passwd | grep -i www-data
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
admin#ip-192-10-30-111:~$
You don't need to create a shell and password for them, you can simply run su as root and use the --shell argument of su.
To run a bash shell as www-data run:
su --shell /bin/bash www-data
as root.

Execute under different user on FreeBSD

I am logged in as root in a freebsd (10) box and I am trying to execute a script (or any command) as another user, but I get: "su: Sorry"
root#vm ~ # whoami
root
root#vm ~ # cat /etc/passwd
#...
myuser:*:1001:1001:my name:/home/myuser:/usr/local/bin/bash
#...
root#vm ~ # su -m myuser -c '/bin/ls /tmp'
su: Sorry
root#vm ~ # su -m myuser
su: Sorry
su - is used to elevate access level. for example myuser executes as root.
You are trying it reverse way. myuser is not member of "wheel" group.
Also it looks like root is not am member of "wheel" too.
post what do you have in passwd for root?
Run as different user under FreeBSD
I figured out how to do it: I installed the port security/sudo, and then I used sudo -u myuser.

Resources