[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sudo-users
Subject:    Re: [sudo-users] allowing command with or without parameter
From:       "Todd C. Miller" <Todd.Miller () courtesan ! com>
Date:       2012-11-09 17:41:52
Message-ID: 201211091741.qA9HfqU7007281 () core ! courtesan ! com
[Download RAW message or body]

On Fri, 09 Nov 2012 15:31:31 GMT, Holger.vanKoll@swisscom.com wrote:

> I want to allow users of the (unix-)group "dba" to be able to su
> to (unix-)user db2tip.
> 
> They shall be able to do
> sudo su - db2tip
> but also
> sudo su - db2tip -c /any/command.
> 
> Currently I use this in sudoers
> 
> %dba ALL=(ALL)     NOPASSWD: /usr/bin/su - db2tip, /usr/bin/su - db2tip *
> 
> and it works; however; can this combined into one statement?

If you really want a single rule you could use:

    %dba ALL=(ALL)     NOPASSWD: /usr/bin/su - db2tip*

However that would match not just "db2tip" but any user name that
starts with "db2tip".  I think you are better off with two rules.

> I know about the presence of the -u flag, however, would like to
> not force the users to use it.

Personally, I would have used "sudo -i -u db2tip" instead of "sudo
su - db2tip".  I.e. use sudo to setup the login environment instead
of su but I am probably biased.

 - todd

[prev in list] [next in list] [prev in thread] [next in thread]