"sudo -u <user> -i" works but "sudo su - <user>" doesn't

Latest response

I have 3 VM's running Red Hat Enterprise Linux Server release 7.0 (Maipo), let's call them SysA, SysB and SysC.

I have configured sudo for UserA to be able to sudo to UserB.

UserA ALL=(UserB) ALL

On SysA and SysB this works fine, logged on as UserA issuing "sudo -u UserB -i" or "sudo su - UserB".

On SysC "sudo su - UserB" gives me the following error:
Sorry, user UserA is not allowed to execute '/bin/su - UserB' as root on SysC.

However, "sudo -u UserB -i" works.

Have anyone got a clue about how to solve this?
The easy solution is of course to use "sudo -u UserB -i" but it feels like a work around. Before surrendering I'd like to check if anyone has a clue about this.

Best regards,
Christian

Responses

sudo -u UserB -i executes as UserB, whereas, sudo su - UserB executes as root.

UserA and/or UserB is not configured on SysC to be allowed certain sudo privileges, perhaps?

Compare with visudo

Thanks for your reply.

/etc/sudoers contain the following row on all three servers:
UserA ALL=(UserB) ALL

On SysA and SysB this works issuing "sudo -u UserB -i" or "sudo su - UserB" as UserA.
On SysC only "sudo -u UserB -i" works.

UserB is as you state not set up in /etc/sudoers.

As an additional note, SELinux is in Permissive mode on all three servers.

Need to make sure that the one system hasn't disabled the ability to execute sudo su -. Might want to check to see if /etc/pam.d/su exists and if it has a line similar to:

auth requisite  pam_deny.so

In it.

good call Tom

Hi Christian, some considerations...

  • I removed the "-i" because I found that when I changed the shell in /etc/passwd for userb to /bin/csh, when usera did a "sudo - userb", then they were in /bin/csh without having to use the "-i" argument.
  • For this test, /etc/passwd file was changed from /bin/bash for userb to /bin/csh

  • I tested this for the user "usera"

  • I changed userids/hostnames to pure lower case

  • Below is a candidate for /etc/sudoers on those three systems
    Note, the impact of the Cmnd_Alias below is userb's .bash_profile will load because of the dash "-" such as "/bin/su - userb".

Host_Alias THREEHOSTS = sysa, sysb, sysc
Cmnd_Alias SU = /bin/su - userb
## NOTE the "-" above ensures that userb's .bash_profile is used upon login.
### place the above directives into a complete rule
usera  THREEHOSTS = SU 
  • I tested this to determine if usera did a "sudo /bin/su - userb" if they received the non-standard shell of /bin/csh that userb has set in the /etc/passwd file:
  • NOTE: Both "sudo /bin/su - userb" and "sudo su - userb" both worked for me, however try both on the system where the sudo command did not work for you.
  • REMINDER: /etc/passwd has /bin/csh set for the userid of "userb"
[usera@sysa] $ sudo -l
User usera may run the following commands on this host:
   (root) /bin/su - userb
[usera@sysa] $ sudo /bin/su - userb
[userb@sysa] $ echo $SHELL
/bin/csh

NOTE: The shell "/bin/csh" is invoked upon login without the use of "-i"

  • I noticed in your reply above that the sudo did not work on hostname "sysc", so I'd recommend checking the output of the hostname command (2 examples below) on the three machines for consistency, just in case the last machine's hostname is not what was expected because the sudoers file is like a game of "Simon Says".
# hostname
# hostname -s

I stared myself blind on the entries for UserA in the sudoers-file.

On SysA and SysB, in addition to the rights to switch to UserB, there was also set up root access for UserA further up in the file.
Once I removed root access, "sudo su - " also stopped working on SysA and SysB.

Embarrasing story! Thanks for all your input.

Glad you got this resolved, Christian. Thanks for letting us know what worked.

Hi All,

I am getting below error, how to fix ..

[svc_cloudscape_ms@axmatdev1 ~]$ sudo su - Sorry, user svc_cloudscape_ms is not allowed to execute '/bin/su -' as root on axmatdev1. [svc_cloudscape_ms@axmatdev1 ~]$

We are using centrify tool for access. Usually we use dzdo for root access. But now we have a requirement to create a local account and provide sudo access for that. We have made entry in /etc/sudoers file. We are able to switch as root (sudo su -) in some servers but not working in some. All are in same network and have same configuration. Please advice if anyone have some suggestion to fix this one.