10

I have 2 users, userA and userB. userB needs to run some commands as userA. I have specified these options in /etc/sudoers as below:

userA ALL=(ALL) ALL
userB ALL=(vinoth) /sbin/fdisk

I ran this command as userB:

sudo -u userA fdisk -l

It asked for the password of userB. Once I entered the password, the command didn't give the fdisk output.

Eric Renouf
  • 18,431
vinothsaran
  • 339
  • 1
    What did it give? Wasn't there an error message? What user is running the command? Are you trying to have userB run fdisk as userA? – terdon Feb 08 '16 at 11:01
  • Hi Terdon, thanks for your time yes userB trying to run the command fdisk as userA. there was no error message. – vinothsaran Feb 08 '16 at 11:21
  • 1
    Does userA have the privilege to get fdisk -l output? – tonioc Feb 08 '16 at 12:03

1 Answers1

13

  1. In your configuration you allowed:

    • userA to run any command as any user
    • userB to run fdisk as vinoth

  2. fdisk by default requires root privileges to access the devices, you cannot run it as userA, ie. you can run, but fdisk -l will print no output, which is what you got.

  3. Finally sudo command is not transitive. When you execute a command from userB account using sudo -u userA <command>, the <command> will be run using userA credentials and the fact that userA has settings defined in sudoers does not apply to this command.

Using sudo -u

To allow userB to execute command as userA you need to put the following into sudoers:

userB ALL=(userA) /usr/bin/whoami

then login to shell as userB and execute:

$ sudo -u userA whoami
userA

But userA has permissions to run whoami (which it does). It does not for fdisk.

Enabling fdisk for regular users

fdisk itself is not restricted to root account, however it requires access to disk devices (stored in /dev which are not accessible to regular users). To give user permission to run fdisk you can either:

  1. Enable sudo for the account. Running sudo fdisk -l effectively means fdisk is run on root account.

  2. Add the account to disk group, which will allow running fdisk -l without sudo, using account credentials.

techraf
  • 5,941
  • Thanks techraf, its work . Assume that UserA has permission to run fdisk command . in this case how can userB run fdisk as userA – vinothsaran Feb 08 '16 at 11:32
  • If UserA had permission to run fdisk, then your configuration in the original post would work. – Chris Feb 08 '16 at 11:35
  • @ Techraf , for userA: i have added the line in /etc/sudoers file as given below userA ALL=ALL then only im trying to run the command as userA – vinothsaran Feb 08 '16 at 11:52
  • @techraf. thanks for your explanation. now i understood why it wasn't work when i ran the command – vinothsaran Feb 09 '16 at 02:12