Sudo vs su (as non-root user)

sudoterminal

My computer has user1 and user2, both administrators.

While I'm logged in as user1 I'm trying to:

"su – user2" -> prompts me for the users2 password, then I can type commands
"sudo –user=user2 [command]" -> prompts me for the password. If I type user2's password I get a "Sorry, try again." error message as if the password is incorrect. If I type user1's password it runs correctly.

Shouldn't the sudo command require the user's password that I define in the "–user" parameter?

Best Answer

This is expected behaviour.

The purpose of su is to switch user. It's called the substitute user identity tool. su takes the other user's password since you are switching to that user.

The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.

^{Source: Man page}
The purpose of sudo is to execute a command as another user. The -u or --user option for sudo specifies that user. You're not logging in as that user, just running a command. sudo takes your password to verify your identity for performing such a task.

Configuration

To configure sudo, you must edit its configuration file via: visudo. Note: this command will open the configuration using the vi text editor, if you are unconfortable with that, you need to set another editor (using export EDITOR=<command>) before executing the following line. Another command line editor sometimes regarded as easier is nano, so you would do export EDITOR=/usr/bin/nano. You usually need super user privilege for visudo:

sudo visudo

This file is structured in different section, the aliases, then defaults and finally at the end you have the rules. This is where you need to add the new line. So you navigate at the end of the file and add this:

user1    ALL=(user2) NOPASSWD: /bin/bash

You can replace also /bin/bash by ALL and then you could launch any command as user2 without a password: sudo -u user2 <command>.

If you want to be able to switch to any user just use

user1    ALL=(ALL) NOPASSWD: /bin/bash

Update

I have just seen your comment regarding Skype. You could consider adding Skype directly to the sudo's configuration file. I assume you have Skype installed in your Applications folder:

user1    ALL=(user2) NOPASSWD: /Applications/Skype.app/Contents/MacOS/Skype

Then you would call from the terminal:

sudo -u user2 /Applications/Skype.app/Contents/MacOS/Skype

MacOS – cannot run sudo

I found out that the I was able to modify /etc/sudoers when I logged in as work using ssh. Not sure if I had made some mistake with my previous attempt with su - work.

The following steps worked:

Logged in as local, start with ssh work@localhost
sudo visudo
Add entry local ALL=(ALL) ALL
Save and exist vi
Exist ssh session
Try sudo ls /

Best Answer

Related Solutions

Allow sudo to another user without password

Configuration

Update

MacOS – cannot run sudo

Related Question