How can I allow one user to su to another without allowing root access?

security linux sudo

I'd like to allow certain users to su to another user account without having to know that account's password, but not allow access to any other user account (i.e. root).
For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.

I imagine this could be done with the /etc/sudoers file - is it possible? If so, how?


Yes, this is possible.

In /etc/sudoers the item immediately following the equals is the user that the command will be allowed to execute as.

tom  ALL=(oracle) /bin/chown tom *

The user (tom) can type sudo -u oracle /bin/chown tom /home/oracle/oraclefile


Add to your /etc/sudoers something like

tom ALL=(oracle) ALL

Then user tom should be able to use sudo to run things as user oracle with the -u option, without letting tom

I.e. getting a shell as user oracle (well, given that your sudo is new enough to have the -i option).

sudo -u oracle -i

To ONLY provide the capabilities in the question, add the following to /etc/sudoers:

tom            ALL=(oracle)    /bin/bash

Then tom can:

sudo -u oracle bash -i

Related

How to properly set permissions for NFS folder? Permission denied on mounting end.
Copy directory structure intact to AWS S3 bucket
How can I check from the command line if a reboot is required on RHEL or CentOS?
Your system administrator does not allow the use of saved credentials to log on to the remote computer
Linux: productive sysadmins without root (securing intellectual property)?
Hidden Features of Linux
How is OAuth 2 different from OAuth 1?
What's the best way to convert a number to a string in JavaScript?
Proper way to initialize a C# dictionary with values
Retrieving Android API version programmatically
How to force child div to be 100% of parent div's height without specifying parent's height?
Getting only response header from HTTP POST using cURL