2

In short, I want to know if it is possible to create three users:

user, lowp0, lowp1

Where someone loged in as user can log into lowp0 or lowp1 without a password, but lowp0 and lowp1 should not be able to log in as anyone else.

Why? The idea is to isolate an application because the lowp0, lowp1 users will only have access to a few files.

ctrl-alt-delor
  • 27,993
mame98
  • 127
  • As well as sudo and ssh. Consider that you may not need to change user. You can set permissions on a file so that another user can access/write to it. see https://unix.stackexchange.com/q/101263/4778 – ctrl-alt-delor May 23 '18 at 10:15
  • I think the conflict is resolved as I clearly stated the duplicate and removed one question as soon as someone told me where it would fit better? – mame98 May 23 '18 at 12:45
  • What can I do to resolve the hold/deletion process? – mame98 May 23 '18 at 17:29
  • As no one has linked to the duplicate, I will take your word for it, and have voted to re-open. – ctrl-alt-delor May 24 '18 at 13:19
  • Just for the future, what should I do if I am not sure where to place a question? – mame98 May 24 '18 at 23:03
  • Yes that is a problem, there was in the 1960 or earlier an idea to categorize by tag, as opposed to location (So you would put all questions on the same site, and tag them). However this idea seems to be lost to history. Hold on one moment, does this site not have tags. But alas we have forgotten how to use them, and instead have created sub-sites. – ctrl-alt-delor May 25 '18 at 11:07

1 Answers1

5

By editing the /etc/sudoers configuration file, you can configure sudo to allow one user to run commands as another user. In particular, you can use sudo to allow one user to launch a shell as another user. For example, the following line allows user run bash as lowp0:

user ALL=(lowp0) /bin/bash

You should then be able to do something like the following:

user@host:~$ sudo -u lowp0 bash
lowp0@host:~$

You could also use the su command in place of bash:

user ALL=(lowp0) /usr/bin/su -l

To allow access to both users via both commands, you could add the following lines:

user ALL=(lowp0,lowp1) /bin/bash, /usr/bin/su -l

If you're running an SSH server, you could also add the public key of user to the ~/.authorized_keys files of lowp0 and lowp1. This should allow user to ssh into localhost as either of these users, e.g.:

user@host:~$ ssh lowp0@localhost
lowp0@host:~$
igal
  • 9,886
  • Thank you, I will try this ASAP and accept this if it works – mame98 May 22 '18 at 22:20
  • I don't think there's ever need to run su under sudo. They both do essentially the same thing: change user / raise privileges. There's sudo -s and sudo -i to start a shell or a login shell. Besides, running su -l as lowp0 will just ask for the root password and then change to root. Also, if you allow running an unrestricted shell, you might just allow every other command at the same time, so just user ALL=(lowp0,lowp1) ALL should do. – ilkkachu May 23 '18 at 08:42
  • Is there a way to prevent logging in as user from e.g. lowp0 except using a password? – mame98 May 24 '18 at 06:01
  • @mame98 I'm not sure what you mean. By default the lowp0 user wouldn't be able to log in as the user user without the password for user. – igal May 24 '18 at 18:30
  • Ideally I do not want to specify a password for user but still prevent the others from logging in as user... – mame98 May 24 '18 at 23:02
  • @mame98 I'm not sure what you mean. How do you plan on authenticating as user if you don't want to set a password? – igal May 28 '18 at 21:27