[X-Unix] Sudo as Another User

Brian Medley bpm-list-osx-unix at 4321.tv
Wed Feb 25 11:24:36 PST 2004


On Wed, Feb 25, 2004 at 11:06:58AM -0500, Alex wrote:

> On Wednesday, Feb 25, 2004, at 10:27 Canada/Eastern, Kevin Stevens 
> wrote:
> 
> >[...] the non-admin user needs to be
> >a member of the "admin" group in order to be able to sudo. [...]
> 
> So, if I understand you correctly, a non-admin user can't run sudo at 
> all, not even as another user. Right?

By default I believe that's correct; however, with some editing that can
be changed os that a non-admin user can run sudo.  The reason is because
of /etc/sudoers.  This file defines who has the ability to run sudo,
that is to say, who has the priviledge of executing the code stored in
/usr/bin/sudo.  You see, sudo always executes as the logged in user, but
it has the capability of executing other code as different users.  The
-u command to sudo specifies that any programs sudo runs will run as
that user, not that sudo will be executed as that user.

Does that makes sense?

Admins in OS X have the ability to run sudo because they are members of
group admin and the following line is in /etc/sudoers:

%admin  ALL=(ALL) ALL

The % sign specifies a particular group and the ALL=(ALL) ALL is sudo
nomenclature for specifiying access rights.

If you want to give access to sudo to a user w/o making them an admin,
then you may do so with either of the following two lines: 

user  ALL=(ALL) ALL
user  ALL=NOPASSWD:ALL

The first gives a specific user the same priviledges as admins, and the
second has the priviledges w/o requiring an initial password (very handy
for shell scripts).

The recommeneded way to edit /etc/sudoers is with /usr/sbin/visudo.  I
believe it honors the EDITOR env var, so most any editor can be used to
edit this file.

-- 
~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-., \|/  (___)  \|/ _,.-=~'`^`
                                               @~./'O o`\.~@
               "Knowledge is Power"           /__( \___/ )__\  *PPPFFBT!*
                  -- Francis Bacon               `\__`U_/'
 _,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~= <____|'  ^^`'~=-.,__,.-=
~`'^`'~=-.,__,.-=~'`^`'~=-.,__,.-=~'`^`'~=-.,__,.-==--^'~=-.,__,.-=~'`^`



More information about the X-Unix mailing list