I ran into the following scenario, in a production environment which was highly critical:
- Bob (unprivileged) needed to run a specific binary in a production environment, as Alice (privileged).
- We needed to find a way to accomplish this without needing Alice to share her password with Bob.
So we did this:
Problem we’re solving
What we want here is to be able to:
- Bob needs to switch user (
su) to Alice, but using only his own password. Both on different groups.
Instead of the default option which is:
- Bob needs to switch to Alice (Who is on another group) by knowing Alice’s password.
The rest of this post explains what I did, in a sandbox/test box.
Scenario
We have 2 users in 2 different groups:
- User 1: “user” (Unprivileged)
- Group 1: “staff” (Unprivileged)
- User 2: “Operator” (Privileged)
- Group 2: “Operations” (Privileged)
The following was added in /etc/ssh/sshd_config file:
# Allow "staff" users to execute bash as "operator":
%staff ALL=(operator) /usr/bin/bash
In real scenarios we should instead assign the specific binary path we want, or command, making sure an unprivileged user cannot modify this same binary. We’re not aiming at giving an unprivileged user more privileges; we’re aiming at giving an unprivileged user one capability only a privileged user has.
The following means:
- “Staff” users can execute /bin/bash as user “operator”
Before & after switching users
Successfully switching user to “operator” without needing to be in that group, or knowing operator’s password
