Allow user1 to "su - user2" without password

Question

I need to allow user martin to switch to user martin-test without password

su - martin-test

I think this can be configured in /etc/pam.d/su. There are already some lines in that file which can be uncommented. However, I don't like the idea of adding user martin to group wheel. I don't want to give martin any more privileges than to be able to switch to martin-test. I also do not want to use sudo.

What would be the best way to do it, while keeping the privileges of user martin minimal?

This is easier to do with `sudo` eg `sudo -u martin-test -i`. Is there a reason you are asking specifically about `su`? — jordanm, Feb 05 '14 at 22:24
I don't want to install `sudo` just because of this (I don't normally use `sudo` and I don't particularly like it). And I think using `pam` is cleaner and more transparent way to do it. — Martin Vegter, Feb 05 '14 at 22:28
@drewbenn I need a solution independent of `ssh`. I cannot rely on `ssh` server to be running at all times. But otherwise, that would be an interesting solution. — Martin Vegter, Feb 06 '14 at 09:20
@MartinVegter As you can see from the script answer, doing this through some sort of pam mechanism is very ugly. Really this is exactly what `sudo` was meant for. Aside from not normally using it, what are the objections? — phemmer, Feb 12 '14 at 22:32
downvoted because you refuse to use `sudo`, even though it is designed for exactly this kind of situation, and you have been unable to produce a reason for not using it that's grounded in a technical evaluation. in addition, neither your bounty description nor your question nor your comments say _anything_ about what is wrong with the current answer. — strugee, Feb 13 '14 at 05:17
If a clean solution is possible with `pam`, I would prefer that over `sudo`. If `sudo` is the only possibility, than that is fine as well. My objections to `sudo` are mostly ideological: I don't like the idea of user doing administration with `sudo foo`. When I need to do administration, I log in as root. Otherwise I log in as user, These two distinct roles should not be mixed. Also, I already have `pam` infrastructure installed. I don't want to install another `setuid` program which can possibly introduce security bugs. — Martin Vegter, Feb 13 '14 at 10:47
@MartinVegter You don't have to do `sudo foo` for specific commands. Sudo has `sudo -s` which will launch a shell. sudo is a very common utility meaning it's security has been thoroughly vetted, **far more** than some pam trickery will be. I would also argue that getting a root shell for tasks is much more insecure than launching specific commands. When you launch a shell, you run **everything** as root. If any one of those things (such as a simple `ls`) has a security vulnerability, then you've just opened a security hole. — phemmer, Feb 13 '14 at 13:47
@MartinVegter there you go, can't get cleaner than that without sudo. Also, I agree with Patrick regarding pam trickery security over sudo. — GnP, Feb 13 '14 at 21:46
Really, `sudo` uses "pam trickery" to manage authentication (as `/etc/pam.d/sudo` exists), so it sure ain't more secure or thoroughly vetted than `pam`. `sudo` is just a shim with suid bit reading config files (so it's possible to configure and perform trickery with it; as opposed to `su`) -- and using `pam`. `su` and `sudo` are also [basically the same thing](https://www.howtoforge.com/tutorial/sudo-vs-su/): _"The primary difference between the two is the password they require: while 'sudo' requires current user's password, 'su' requires you to enter the root user password."_ — David Tonhofer, Jan 25 '19 at 15:16

score 90 · Accepted Answer · edited Nov 19 '19 at 10:36

90

Add the following lines underneath the pam_rootok.so line in your /etc/pam.d/su:

auth  [success=ignore default=1] pam_succeed_if.so user = martin-test
auth  sufficient                 pam_succeed_if.so use_uid user = martin

These lines perform checks using the pam_succeed_if.so module. See also the Linux-PAM configuration file syntax to learn more about the auth lines.

The first line checks whether the target user is martin-test. If it is nothing happens (success=ignore) and we can continue on the next line to check the current user. If it is not, the next line will be skipped (default=1) and we can continue on subsequent lines with the usual authentication steps.
The second line checks whether the current user is martin or not, if it is then the system considers the authentication process as successful and returns (sufficient), if it is not, nothing happens and we continue on subsequent lines with the usual authentication steps.

You can also restrict su to a group, here the group allowedpeople can su without a password:

auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

edited Nov 19 '19 at 10:36

Shan-mk

33
4

answered Feb 13 '14 at 20:25

GnP

2,295
18
14

1

If you want to authorize if they are in a certain group: auth sufficient pam_succeed_if.so user ingroup GROUP – shrimpwagon Aug 25 '15 at 21:08
@gnp Super Thanks!! Working on iCinga with nrpe, have to execute some command as different user!! Helped lot!!!!!! Thanks!!!!! – saravanakumar May 26 '16 at 15:57
@GnP Please help me on http://askubuntu.com/questions/821793/users-su-without-password-with-pam-su-authentication – Nullpointer Sep 06 '16 at 18:19
It would be nice to add info on how to apply the changes as well. – Kyslik Nov 14 '17 at 13:33
@Kyslik what do you mean? The instructions on how to edit the necessary files are in the answer ... – GnP Nov 14 '17 at 17:10
Dont you need to restart some kind of service? – Kyslik Nov 14 '17 at 17:11
@Kyslik oh right. Not in this case where the changes apply only to `su`. (There may be other instances of pam changes that require restarting a service) – GnP Nov 14 '17 at 17:15
I came up with two lines: `auth [success=ok default=1] pam_succeed_if.so use_uid user in martin:martin-test` and `auth [success=done default=ok] pam_succeed_if.so user in martin:martin-test` to also allow _martin-test_ to switch to _martin_ – Maciej Łoziński Nov 22 '17 at 20:02
I'm getting `su: pam_start: system error` (on mac os x) – Alec Jacobson Jun 03 '20 at 17:11

score 14 · Answer 2 · edited Nov 19 '19 at 10:59

14

If you don't want to change groups or use sudo, use a pam module called pam_exec to execute external scripts in a pam stage.

Add a line in your /etc/pam.d/su after the pam_rootok.so line:

auth       sufficient pam_exec.so quiet /path/to/script

/path/to/script has the permissions 755 (rwxr-xr-x) and the following content:

#!/bin/bash
if [ "$PAM_TYPE" == "auth" ] && \
[ "$PAM_USER" == "martin-test" ] && \
[ "$PAM_RUSER" == "martin" ]; then
  exit 0
else
  exit 1
fi

So this script exits with success if su:

is called in context of authentication,
the calling user is martin and
the user to authenticate is martin-test.

See:

martin@host:~$ su - martin-test
martin-test@host:~$ exit
martin@host:~$ su - otheruser
Password: ****
otheruser@host:~$

edited Nov 19 '19 at 10:59

Eliah Kagan

4,065
2
24
38

answered Feb 05 '14 at 22:36

chaos

47,463
11
118
144

1

pam_access can be used to provide similar functionality, without relying on a script. (this is what pam_access was made to do) – jsbillings Feb 06 '14 at 01:37
1

@jsbillings Would you make that (with some details) another answer? – Hauke Laging Feb 06 '14 at 06:06
1

how would I need to modify my `/etc/pam.d/su` to make use of `pam_access` for my situation? – Martin Vegter Feb 06 '14 at 09:18
3

@jsbillings Actually `pam_access` can't do this. When `su` is going through the pam stack, it's doing so as the user you're changing to, not the user you're changing from. So if you add a rule such as `+ : martin : ALL`, it will allow **anyone** changing **to** `martin`. Even if you change `martin` to `martin-test`, it will still let anyone do it. You need to analyze both the user you're coming from, and the user you're changing to. Really, this is exactly what `sudo` is for... – phemmer Feb 12 '14 at 22:28

score 8 · Answer 3 · answered Nov 19 '19 at 12:02

8

This might be the possible best way.

su is not meant to do that -- sudo is.

Open /etc/sudoers.d/custom and write the following:

user-a ALL=(user-b:user-b) NOPASSWD:ALL

This means: whenever user-a executes sudo -u user-b, let him go without asking for the password.

Another way

youruserid ALL = (username) NOPASSWD: ALL

with visudo and then sudo -u username bash is like su - username

answered Nov 19 '19 at 12:02

champion-runner

835
10
10

What if you don't have root access? I want to change from my user to another non-root user. – Sridhar Sarnobat Feb 26 '20 at 19:59

score 0 · Answer 4 · edited Apr 17 '19 at 07:50

0

If you don't have access to the root account, but have the password of the user you want to use to run a command, you can do the following.

This will ask you the toto's password : su - toto -c whoami
This will not : ssh toto@localhost whoami

Just install your public key in authorized_keys of toto

edited Apr 17 '19 at 07:50

Rui F Ribeiro

55,929
26
146
227

answered Mar 30 '15 at 16:00

Patrick

17
1

Thoughtful answer.. However, the command someone wanna try running is already on the machine. So there is no point ssh'ing to the same server. – Raja Anbazhagan Aug 12 '15 at 11:31

score -1 · Answer 5 · answered Oct 28 '16 at 05:29

-1

My simple solution is:

sudo login -f martin-test

If you want to avoid sudo at all cost, I think it should be possible to put this in a script:

owned by root and with root privileges (using the setuid flag)
executable by everybody, also without any sudo.

However, I can't figure out the chown root and chmod +s ToTest.sh bits, to make this actually work:

#!/usr/bin/env bash
echo howdy, I am $(whoami)
sudo login -f martin-test

I still runs as my normal user, as the echo tells me. And it still requires sudo password. If it was running as root, one could do away with the sudo in the last line...

answered Oct 28 '16 at 05:29

Frank N

402
5
11

The setuid flag on a shell (or any other script) script won't work in Linux and for good reasons. Notice that the above script with a working suid flag would immediately be a trap: It engages bash via "env" (quite self-defeatingly, because if you assume you don't know where `bash` is, why do you assume you know where `env` is or whether it even exists?). But in the end, you don't know what `bash` this will be exactly. It could come from the invoking user's directory and have been compiled a minute earlier from his source code. You see where I'm going? Or the user could override `whoami`... – David Tonhofer Jan 26 '19 at 13:31
My brain is currently too far away from these issues to fully grasp, but still thanx for the detailed explanations. – Frank N Jan 28 '19 at 11:36

Allow user1 to "su - user2" without password

5 Answers5

Linked