[CentOS] how to setup account which can 'su" to another account (NON-root)?

Thu Aug 19 13:56:43 UTC 2010
mcclnx mcc <mcclnx at yahoo.com.tw>

Thank you for answer.  The problem I have is "user1" need "su" privilege.  If I grant "su" privilege, it can "su" to anyone.  What I want is user1 can ONLY "su" to user2.

my /etc/sudoers setup:

  # User privilege specification
root    ALL=(ALL) ALL
user1   ALL=(root) /bin/su


any ideal to fix it?



--- 10/8/18 (三),Jay Leafey <jay.leafey at mindless.com> 寫道:

> 寄件者: Jay Leafey <jay.leafey at mindless.com>
> 主旨: Re: [CentOS] how to setup account which can 'su" to another account (NON-root)?
> 收件者: "CentOS mailing list" <centos at centos.org>
> 日期: 2010年8月18日,三,下午8:05
> mcclnx mcc wrote:
> > we have CENTOS 5.2 on DELL server.  we need allow
> a user can "su" to another user without password.
> > 
> > for example:
> > 
> > account user1 can "su - user2" without
> password.   (user2 is NOT root)
> > 
> > I know this is big security risk but ....  Anyone
> know how to do it?
> > 
> > Thanks.
> > 
> 
> Check out the sudo command.  You can alter the
> /etc/sudoers file to specify that the "source" user can only
> run a command as a specified "runas" user.  The syntax
> would look something like:
> 
> sourceuser ALL = ( runasuser ) command
> 
> Let's say you wanted the user "bob" to be able to run the
> "grep" command as user "fred".  The following line
> could be added to the /etc/sudoers file:
> 
> bob ALL = ( fred ) /bin/grep
> 
> "bob" would use the sudo command to execute the grep
> command:
> 
> sudo -u fred /bin/grep 'stuff' logfile
> 
> This is a simplistic example, check the man pages for
> "sudo" and "sudoers" for more information.
> -- Jay Leafey - jay.leafey at mindless.com
> Memphis, TN
> 
> -----內含下列夾帶檔案-----
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>