You are not logged in.
- Topics: Active | Unanswered
#1 2024-08-13 00:26:04
- soravoid
- Member
- Registered: 2023-07-17
- Posts: 7
Running sudo via sudo as another user without password
Hello all,
My system is set up with a "user" account and an "admin" account (and root account obv). I would like to allow the user to run "sudo -u admin sudo pacman -X" without the password for "user" BUT I still want to require the password from "admin". I can't seem to find anything online about this (or I'm not using the right keywords) and I'm pretty stumped on an *elegant* (whatever that's supposed to mean) way to achieve this. I'm tempted to just make a script for admin that just contains `pacman $@`, but something tells me there's a better way. I would appreciate any help. Thank you!
Offline
#2 2024-08-13 06:51:43
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,384
Re: Running sudo via sudo as another user without password
What sudoers entry did you try that didn't work though you'd expect it to?
And how are you invoking that command?
The alternative approach would be to su into admin and sudo pacman from there, which is gonna allow you to give admin "sudo pacman" pacmissions w/ NOPASSWD (so admin will never have to issue a password to run pacman as root) but your regular user first has to authenticate as admin (for su)
Online
#3 2024-08-14 05:33:18
- soravoid
- Member
- Registered: 2023-07-17
- Posts: 7
Re: Running sudo via sudo as another user without password
What sudoers entry did you try that didn't work though you'd expect it to?
And how are you invoking that command?
It's definitely more that I can't wrap my head around a suitable sudoers entry that would even potentially work (read: every possible combination of allowing user/admin sudo/pacman NOPASSWD -_-). At the moment, the only solution on my mind is a bash script owned by admin with `pacman $@` and putting something like `user ALL=(admin) NOPASSWD: /home/admin/.scripts/pacman-pass` or whatever.
Command is being invoked via normal "sudo -u admin sudo pacman -S ..." from the shell (zsh, dont think that matters tho besides alias resolution), though I should mention that I'm using a button in waybar to spawn a terminal and run "sudo -u admin /home/admin/update-system" where update-system is just a bash script with `sudo pacman -Syu`. Ideally, I would love to make this more ergonomic and be able to do it on the fly.
The alternative approach would be to su into admin and sudo pacman from there, which is gonna allow you to give admin "sudo pacman" pacmissions w/ NOPASSWD (so admin will never have to issue a password to run pacman as root) but your regular user first has to authenticate as admin (for su)
I suppose that I could give admin free NOPASSWD reign on the pacman command, since theoretically if you're in the admin account, you probably already know the password by then, but for some reason I feel somewhat uncomfortable doing that (if anyone would like to assuage that worry, I would totally go for this solution).
Offline
#4 2024-08-14 07:28:02
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,384
Re: Running sudo via sudo as another user without password
Nobody can tell you to what degree you can trust the users on your system that are currently "admin" (if people can login as admin and then leave the terminal unprotected to get a cup of coffee and spend an hour at the watercooler talking about the next season of HotD, you can't - if it's a transactional account for access management, what else is the point?)
As for the sudoers: you need an entry that allows admin to sudo (at least) pacman by issueing the admin credentials and an entry for the regular user(s) to run "/usr/bin/sudo pacman" (or with specific parameters) as admin w/ NOPASSWD.
You know how to select the target user, so where's your struggle?
If you ran "sudo visudo" and allowed "pacman -Syu" and figured that you can also "pacman -Syu foo", try to first "sudo -k"…
Please use absolute command paths and I'd advise against using semi-privileged scripts unless you explicitly want the admin user (and anyone with access to it) to control what unprivileged users actually can run as admin (ie. it doesn't matter where the script resides, but it should be under complete root control and for the suggested path that likely requires it to be immutable)
Online