PDA

View Full Version : 'su' to specified user after login



vatson
06-Jun-2015, 14:45
We have a number of development servers, each running a number of services such as Jetty, ActiveMQ etc. There is a specific user account on each server which is used for running these services. Developers occasionally need to start/stop these services. Currently they need to take care to always 'su' to the correct user account (which they sometimes forget) or directly log in as this user account (which is not the most secure way to do things). Is it possible to set things up so that each user logs in with their own user account and then immediately their session gets 'su'-d to the correct user account? I looked at PAM manuals which seemed the most obvious place to do this, but nothing immediately caught my eye.

malcolmlewis
06-Jun-2015, 19:04
Hi
Why not just create a group (eg developers) then add the group to the users and services?

Else look at using sudo for the users...

vatson
07-Jun-2015, 22:16
Actually sudo is already being used, but sometimes people forget to use it, start some service as themselves and various temporary files and sockets get created with wrong user id, which causes Bad Things later. For now I cooked up this initial solution:

Add to sudoers file:

%developers ALL=(ALL) NOPASSWD: /bin/su - serviceuser

Add to end of /etc/bash.bashrc

su - serviceuser

I was hoping to figure out some more 'low-level' solution with PAM or thereabouts, but maybe this will do.