su command without password

DeckMechanic · #1 29th May 2009, 04:37 PM

Hello guys. A quick one I hope

Is it possible to su - to another user without having to put in the password everytime?

I want this.............................................
[bob@mypc ~]$ su - sandy
Password:
[sandy@mypc ~]$

to become this.....................
[bob@mypc ~]$ su - sandy
[sandy@mypc ~]$

Many thanks

Sandy

brunson · #2 29th May 2009, 04:40 PM

You can do that with sudo, read the man page, there are examples at the bottom. The default behavior for sudo is to make you type the password once, then allow you to keep using sudo without a password until some period of time passes. In other words your authorization gets cached, then expires after disuse.

You could also write a small C program that you chown to the user you're interested in, then set the suid bit on it, that will allow you to assume the identity of whoever.

Note: THIS IS EXTREMELY INSECURE, but you know your environment better than any of us here.

For example, put this in a file called dosu.c:

Code:

#include <sys/types.h>
#include <unistd.h>

int main( int argc, char *argv[] ) 
{
  if ( argc > 1 ) {
      setuid( 0 );
      execvp( argv[1], argv + 1 );
  }
  return( 1 );
}

Code:

ebrunsonlx(~)$ make dosu
cc     dosu.c   -o dosu
ebrunsonlx(~)$ id
uid=500(ebrunson) gid=500(ebrunson) groups=500(ebrunson),802(mysql)
ebrunsonlx(~)$ ./dosu id
uid=500(ebrunson) gid=500(ebrunson) groups=500(ebrunson),802(mysql)
ebrunsonlx(~)$ sudo chown root.root dosu
[sudo] password for ebrunson: 
ebrunsonlx(~)$ sudo chmod u+s dosu
ebrunsonlx(~)$ ls -l dosu
-rwsrwxr-x 1 root root 4978 2009-05-29 10:00 dosu*
ebrunsonlx(~)$ ./dosu id
uid=0(root) gid=500(ebrunson) groups=500(ebrunson),802(mysql)
ebrunsonlx(~)$ sudo su - root
[root@ebrunsonlx ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@ebrunsonlx ~]# logout
ebrunsonlx(~)$ sudo su - mysql
-bash-3.2$ id
uid=27(mysql) gid=27(mysql) groups=27(mysql)

jteb · #3 29th May 2009, 05:29 PM

You could (although I wouldn't recommend it) put another rule in your /etc/sudoers file, partly like brunson already said.

<code>
bob ALL=(ALL) NOPASSWD: ALL
</code>

Then you can just do
# sudo su sandy

It would give user bob permissions to use sudo w/o a password anytime

Cheers,
Jan

Super Jamie · #4 26th April 2012, 12:53 PM

This still turns up in Google Results so I'm resurrecting the thread and providing a good answer.

In the file /etc/pam.d/su put this as the second line:

Code:

auth            sufficient      pam_permit.so

This is incredibly insecure as it lets literally anyone at all with a login become root.

To restrict this just to your username, use this line instead, replace the "yourusername" with your actual username:

Code:

auth            sufficient      pam_succeed_if.so use_uid user = yourusername

You can also restrict this to a group, here the group "allowedpeople" can su without a password:

Code:

auth            sufficient      pam_succeed_if.so use_uid user ingroup allowedpeople

You can now type su - to become root (or any user really) without a password prompt.

William Haller · #5 26th April 2012, 02:35 PM

It's also easy to just bring up a root konsole shell with kdesu and restrict the operations you do in that to safe non-internet connected things. From there you can su sandy - and become that user without a password once you've authenticated as root once. I presume you have a valid system reason for wanting to become the other user that won't get you fired. In my case I run some software like accounting packages out of another user and it is just easier to use that approach to become the accounting user without doing an entire switch-user.

It is still dangerous to run as root and for that reason I recommend the specific konsole approach. You can do all your system maintenance using it from a normal user login and let the normal user login handle all the e-mail, browsing, and other functions that are exposed to the real world.

Clearly, if your need is occasional, then you should sudo instead. But if you are a network admin who needs to check logs and the like a lot or run routine yum updates, then this is a safer alternative than just logging on as root.

Super Jamie · #6 26th April 2012, 02:42 PM

Actually I'm just lazy, I'm tired of entering the password every time I type su -.

This is just on my desktop at home and on a private server I run. The server is ssh-only so using graphical sudo/beesu/kdesu/etc isn't an option.

It would be foolish, and probably in breach of any decent employment contract, to make this sort of change on a business production system. Probably just as silly as using Fedora as a business production server.

axel2078 · #7 27th April 2012, 02:26 AM

As someone has already mentioned, the simplest way to do this would be to add your name to the sudoers file with the option to not supply a password.

Super Jamie · #8 27th April 2012, 11:36 AM

Then you still have to type sudo. I don't want to do that.

axel2078 · #9 27th April 2012, 01:39 PM

Wow, you are lazy. You may as well log in as root and do everything that way. Since you are so lazy, go ahead and make root's password blank while you're at it so you don't have to trouble yourself to type anything to log in.