In multi-user Linux environments, we often need to grant controlled privilege escalation. A common requirement is allowing a user (e.g., a DBA) to switch to a specific service account (like 'oracle') without obtaining root access or accessing other user accounts. Traditional approaches using su with password sharing pose security risks.
The proper way to implement this is through /etc/sudoers with careful syntax. Here's the precise entry you'll need:
# Allow user 'tom' to become 'oracle' without password tom ALL=(oracle) NOPASSWD: /bin/su - oracle
Key components of this configuration:
tom ALL=- Applies to all hosts(oracle)- Specifies the target userNOPASSWD:- Enables passwordless switching/bin/su - oracle- Explicit command restriction
After saving the sudoers file (always use visudo for editing), test the configuration:
$ sudo -u oracle /bin/su - oracle
Tom should now be able to execute:
sudo su - oracle
But attempts to access other accounts will be denied:
sudo su - root # Permission denied sudo su - tomcat # Permission denied
For enhanced security in production environments:
# More restrictive version limiting command parameters Cmnd_Alias ORACLE_SU = /bin/su - oracle tom ALL=(oracle) NOPASSWD: ORACLE_SU
This approach prevents potential command injection by strictly defining the allowed command pattern.
If the configuration isn't working as expected:
- Verify sudoers syntax with
visudo -c - Check system logs (
/var/log/secureor/var/log/auth.log) - Ensure the user belongs to the correct groups
- Test with
sudo -lto view effective privileges
In Unix/Linux system administration, there's a common need to grant specific users the ability to switch to particular accounts without giving them full sudo privileges or root access. This is particularly important for:
- DBAs needing oracle account access
- Developers requiring service account access
- Operations staff that need to manage specific applications
The /etc/sudoers file provides the perfect mechanism for this through targeted privilege specification. Here's the basic syntax structure:
username ALL=(targetuser) NOPASSWD: /bin/su - targetuser
For our scenario where Tom needs oracle access:
# /etc/sudoers entry tom ALL=(oracle) NOPASSWD: /bin/su - oracle
Important security measures to implement:
- Never edit /etc/sudoers directly - always use
visudo - Test changes in a separate terminal session before logging out
- Consider adding command restrictions if needed
For more complex scenarios, you can use:
# Allow switching via both su and sudo Cmnd_Alias ORACLE_CMDS = /bin/su - oracle, /usr/bin/sudo -u oracle /bin/bash tom ALL=(oracle) NOPASSWD: ORACLE_CMDS
After implementation, test with:
sudo -u oracle /bin/su - oracle # or sudo su - oracle
For managing multiple users:
# Create a group groupadd oracle_admins # sudoers entry %oracle_admins ALL=(oracle) NOPASSWD: /bin/su - oracle