Allow multiple user groups to "su" to multiple other users without password

Question

I want a specific group of users to be able to use the su command as a specific user.

example)

Group	User
`allowsu_aa`	`aa`
`allowsu_bb`	`bb`
`allowsu_cc`	`cc`

So I added the below to /etc/pam.d/su file.

auth            [success=2 default=ignore]        pam_succeed_if.so user = aa
auth            [success=2 default=ignore]        pam_succeed_if.so user = bb
auth            [success=2 default=3]             pam_succeed_if.so user = cc
auth            [success=done new_authtok_reqd=done default=2]      pam_succeed_if.so use_uid user ingroup allowsu_aa
auth            [success=done new_authtok_reqd=done default=1]      pam_succeed_if.so use_uid user ingroup allowsu_bb
auth            [success=done new_authtok_reqd=done default=ignore]      pam_succeed_if.so use_uid user ingroup allowsu_cc

But it didn't work as I wanted.

How should I fix it?

Would using `sudo` instead of `su` be acceptable? – roaima Apr 07 '23 at 06:33 — roaima, Apr 07 '23 at 06:33

score 0 · Answer 1 · answered Apr 07 '23 at 06:24

Here is a good description how to do it: https://www.tecmint.com/switch-user-account-without-password/ I tested it successfully (Rocky Linux 9). PAM is quite ... complicated (for me). You also have to take care where in the file you place the config lines. When my user is a member of test_group I can switch to test_user without password

cat /etc/pam.d/su
#%PAM-1.0
auth        required    pam_env.so
auth        sufficient  pam_rootok.so
##### START 
auth       [success=ignore default=1] pam_succeed_if.so user = test_user
auth       sufficient   pam_succeed_if.so use_uid user ingroup test_group
##### END
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required    pam_wheel.so use_uid
auth        substack    system-auth
auth        include     postlogin
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     include     postlogin
session     optional    pam_xauth.so

Hope that helps.

Something similar was also described here: https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password — ulrich17, Apr 07 '23 at 06:31

Allow multiple user groups to "su" to multiple other users without password

1 Answers1