CentOS - Aug 2010 - how to setup account which can 'su" to another account (NON-root)?

we have CENTOS 5.2 on DELL server.  we need allow a user can "su" to
another user without password.

for example:

account user1 can "su - user2" without password.   (user2 is NOT root)

I know this is big security risk but ....  Anyone know how to do it?

Thanks.

On Thu, 19 Aug 2010, mcclnx mcc wrote:
> we have CENTOS 5.2 on DELL server.  we need allow a user can "su"
to another user without password.
>
> for example:
>
> account user1 can "su - user2" without password.   (user2 is NOT
root)
>
man sudo

----------------------------------------------------------------------
Jim Wildman, CISSP, RHCE       jim at rossberry.com http://www.rossberry.com
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine

mcclnx mcc wrote:
> we have CENTOS 5.2 on DELL server.  we need allow a user can "su"
to another user without password.
> 
> for example:
> 
> account user1 can "su - user2" without password.   (user2 is NOT
root)
> 
> I know this is big security risk but ....  Anyone know how to do it?
> 
> Thanks.
> 
Check out the sudo command.  You can alter the /etc/sudoers file to 
specify that the "source" user can only run a command as a specified 
"runas" user.  The syntax would look something like:

sourceuser ALL = ( runasuser ) command

Let's say you wanted the user "bob" to be able to run the
"grep" command
as user "fred".  The following line could be added to the /etc/sudoers
file:

bob ALL = ( fred ) /bin/grep

"bob" would use the sudo command to execute the grep command:

sudo -u fred /bin/grep 'stuff' logfile

This is a simplistic example, check the man pages for "sudo" and 
"sudoers" for more information.
-- 
Jay Leafey - jay.leafey at mindless.com
Memphis, TN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3274 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20100818/b7b5ca07/attachment-0002.bin>

Thank you for answer.  The problem I have is "user1" need
"su" privilege.  If I grant "su" privilege, it can
"su" to anyone.  What I want is user1 can ONLY "su" to
user2.

my /etc/sudoers setup:

  # User privilege specification
root    ALL=(ALL) ALL
user1   ALL=(root) /bin/su


any ideal to fix it?



--- 10/8/18 (?)?Jay Leafey <jay.leafey at mindless.com> ???
> ???: Jay Leafey <jay.leafey at mindless.com>
> ??: Re: [CentOS] how to setup account which can 'su" to another
account (NON-root)?
> ???: "CentOS mailing list" <centos at centos.org>
> ??: 2010?8?18?,?,??8:05
> mcclnx mcc wrote:
> > we have CENTOS 5.2 on DELL server.? we need allow
> a user can "su" to another user without password.
> > 
> > for example:
> > 
> > account user1 can "su - user2" without
> password.???(user2 is NOT root)
> > 
> > I know this is big security risk but ....? Anyone
> know how to do it?
> > 
> > Thanks.
> > 
> 
> Check out the sudo command.? You can alter the
> /etc/sudoers file to specify that the "source" user can only
> run a command as a specified "runas" user.? The syntax
> would look something like:
> 
> sourceuser ALL = ( runasuser ) command
> 
> Let's say you wanted the user "bob" to be able to run the
> "grep" command as user "fred".? The following line
> could be added to the /etc/sudoers file:
> 
> bob ALL = ( fred ) /bin/grep
> 
> "bob" would use the sudo command to execute the grep
> command:
> 
> sudo -u fred /bin/grep 'stuff' logfile
> 
> This is a simplistic example, check the man pages for
> "sudo" and "sudoers" for more information.
> -- Jay Leafey - jay.leafey at mindless.com
> Memphis, TN
> 
> -----????????-----
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>