"sudo -u <user> -i" works but "sudo su - <user>" doesn't
I have 3 VM's running Red Hat Enterprise Linux Server release 7.0 (Maipo), let's call them SysA, SysB and SysC.
I have configured sudo for UserA to be able to sudo to UserB.
UserA ALL=(UserB) ALL
On SysA and SysB this works fine, logged on as UserA issuing "sudo -u UserB -i" or "sudo su - UserB".
On SysC "sudo su - UserB" gives me the following error:
Sorry, user UserA is not allowed to execute '/bin/su - UserB' as root on SysC.
However, "sudo -u UserB -i" works.
Have anyone got a clue about how to solve this?
The easy solution is of course to use "sudo -u UserB -i" but it feels like a work around. Before surrendering I'd like to check if anyone has a clue about this.
Best regards,
Christian
Responses
Hi Christian, some considerations...
- I removed the "-i" because I found that when I changed the shell in /etc/passwd for userb to /bin/csh, when usera did a "sudo - userb", then they were in /bin/csh without having to use the "-i" argument.
-
For this test, /etc/passwd file was changed from /bin/bash for userb to /bin/csh
-
I tested this for the user "usera"
-
I changed userids/hostnames to pure lower case
-
Below is a candidate for /etc/sudoers on those three systems
Note, the impact of the Cmnd_Alias below is userb's .bash_profile will load because of the dash "-" such as "/bin/su - userb".
Host_Alias THREEHOSTS = sysa, sysb, sysc
Cmnd_Alias SU = /bin/su - userb
## NOTE the "-" above ensures that userb's .bash_profile is used upon login.
### place the above directives into a complete rule
usera THREEHOSTS = SU
- I tested this to determine if usera did a "sudo /bin/su - userb" if they received the non-standard shell of /bin/csh that userb has set in the /etc/passwd file:
- NOTE: Both "sudo /bin/su - userb" and "sudo su - userb" both worked for me, however try both on the system where the sudo command did not work for you.
- REMINDER: /etc/passwd has /bin/csh set for the userid of "userb"
[usera@sysa] $ sudo -l
User usera may run the following commands on this host:
(root) /bin/su - userb
[usera@sysa] $ sudo /bin/su - userb
[userb@sysa] $ echo $SHELL
/bin/csh
NOTE: The shell "/bin/csh" is invoked upon login without the use of "-i"
- I noticed in your reply above that the sudo did not work on hostname "sysc", so I'd recommend checking the output of the hostname command (2 examples below) on the three machines for consistency, just in case the last machine's hostname is not what was expected because the sudoers file is like a game of "Simon Says".
# hostname
# hostname -s
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
