Sudo access issues with passwd
2014-04
sridhar.bijmc
I have sudo configured like this:
joe ALL=(root) NOPASSWD: /bin/su - steve
What it does exactly?
I am confused.
I guess there's three different ways to execute that command:
su - stevesudo su - stevesudo -u root su - steve
In which cases it's not going to ask for a password? What is the difference between commands 2 and 3?
When joe runs command 2, will it run as user joe or root?
rking
It seems like you may have some confusion between what sudo and su are used for. Both enable a user to execute commands as if they are another user with different priveleges, but there are distinct differences.
An over generalization would be:
- su - get a shell with uid/gid of an other user, authenticating with that users password.
- sudo - run a command with uid/gid of an other user, authenticating with your password.
SU
In general, most people utilize su to initiate a shell with (s)ubstitue (u)ser id and/or group id. This is most commonly done to gain root privileges but can also be used for any system user.
If the user running su is not root, then it will ask for the password of the user you are trying to su as.
su -login as root with a login shell that will have an environment similar to a real login. Need root's password.su - alicelogin as alice with a login shell that will have an environment similar to a real login. Need alice's password.suorsu alicelike examples above with difference that the initial user environment is maintained with the exception of the environment variables USER, SHELL, and HOME. This can have unexpected consequences. As example since PATH is not changed, when trying to change the password you may not be running the command /usr/bin/passwd but /usr/local/bin/passwd or even /home/{$ORIGUSER}/bin/passwd.su -c command -execute the command as root with a login shell and exit to original user shell.su -c command - aliceexecute the command as alice with a login shell and exit to original user shell.
References
- man su
SUDO
Sudo allows more flexibility than su. The most apparent to enduser is that they are authenticating using their own password or even no password if configured that way.
By utilizing the configuration file visudo, the priveleges allowed by the user can be controlled with much more controll.
As an example, you can allow a user to execute some commands with no password required and other commands may require a password.
Please see the associated man pages to get an idea of all the variations that can be done.
References
The two most visible benefits of sudo vs su
- The ability to give certain groups of users the root privileges of only a subset of commands without having to give them the root password. This allows a way to have a restrictive tier of administrator level users with root access to only the commands they need to do their job.
- Since you are only executing one command as root, lowers risks of accidental harm. For an example, you think you are in your user directory /home/user/myjunkdocs and run
rm -rfbut you are actually in the root directory and delete the system software.
dma1324
su logs in to the superuser by default (or the specified user) but it requires the target's password (i.e. su root needs the root password). It has nothing to do with sudo.
sudo su will log you in as root with joe's password. It'll prompt you for joe's password, and then runs the command su as root, which doesn't require a password for the superuser (root). Meaning, it will log you in to a root shell with joe's password.
The third command does the same thing, it just specifies explicitly that you want to run the command su as root, which is the default anyway, just more explicit.
Unnikrishnan
su (switch user) command is used to switch to a particular user.
For eg: su tom ----------> to login as tom
sudo su will switch to root user.
sudo is used to grand special permissions to a normal user. But the condition is that, the sudo user must be enabled in the sudoers file.
Questioner
Possible Duplicate:
scp to remote server with sudo
What is the best way of doing SCP from one box to the other as a sudo user. There are two servers
Server A
10.152.2.10
/home/oracle/export/files.txt
User : deploy
Server B
10.152.2.11
/home/oracle/import/
User : deploy
Sudo user : /usr/local/bin/tester
all i want is to copy files from server A to Server B as a sudo user...
In order to do this, first i normally login as deploy user on the target server and then switch as a sudo user without password.
after that SCP to copy file, this is the normal way i perform this activity...
In order to auotmate i have written script
#!/bin/sh
ssh deploy@lnx120
sudo /usr/local/bin/tester "./tester/deploy.sh"
I have generated the private key for deploy user, so it allows me to login as deploy user without password. afterthar the sudo command is executed it will switch the user to tester...
after that nothing happens.. i mean the script is not getting executed ... is there any way to accomplish this in a different way...
grawity
You can make a wrapper around ssh, like this:
#!/usr/bin/perl
use strict;
my @newargs = ( "ssh" );
my $added = 0;
for my $arg (@ARGV) {
# replace "scp" with "sudo scp"
if ($arg =~ /^scp / and $added == 0) {
$arg =~ s/^/sudo /;
$added = 1;
}
push @newargs, $arg;
}
exec @newargs;
Make it executable, and run scp like this:
scp -S ./ssh-wrapper somefile anotherfile hostname.domain.tld:path/
This will only work if sudo on the remote server doesn't require a password (or if it's cached), but better than nothing.
zpon
If I understand correctly, you need sudo because the file is somewhere your regular user does not have access to? And you do not have the root password, or do not want to use it for some reason?
One solution would be to copy the file to a location where you regular user has access to (and if necessary change the access rights on the file as well), and then perform the scp.