Allowing admin user to access other users

U

user8394

Verified User
Joined
Oct 18, 2020
Messages
11
I'm trying to find a way to give some colleagues from the support department SSH access to perform some tasks for users.
I was thinking of giving extra privileges to the admin user, which the colleagues can use. I don't want to give access rights.
For example I want the admin user to set the correct permission for user folders, move files, rsync, (s)ftp, etc. A lot of features are already possible in the GUI, but some actions are better to perform by SSH.

Ideally I want them to have access to the /home directory for all users, but I did not manage to get that working (I checked this: https://unix.stackexchange.com/ques...ew-the-home-directory-of-other-users-via-sudo).

Another idea is adding the admin user to the groups of the user accounts and using su to login as the end-user, but since every DA user has his own group, I have to add every group to the admin user. Also not ideal.

What would be the best way for this? I really don't want to give root access.
 
as you decided so - just can recommend:
parse userlist, exclude from it not needed ones, add new groups to collegue account, add script like user_create_post.sh to automate adding new users/groups. don't use admin login for it aggregated account, use something not parsible like "hd7igkt7i8g" as login, allow connect with ssh-key only (don't allow passwords).
 
That sounds good. In that way I could allow an admin user to become the end user.
But can I also add a userlist to sudoers by file? Or do I have to add every end-user to the sudoers file?
Normally I would do:
admin ALL = (specificuser) ALL
This gives the admin user access to specificuser. But I want the admin user have access to (almost) all users. Something like this:
admin ALL = (/file/to/allowed_userlist) ALL
But of course this is not the correct syntax. Is there a way for this?

Or is there a way to add all users expect a few? In that case it will also work with new created users, and I do not have to create a sh script.
All I could find was this: https://serverfault.com/a/17818
But no way to exclude users.
 
Zhenyapan said:
as you decided so - just can recommend:
parse userlist, exclude from it not needed ones, add new groups to collegue account, add script like user_create_post.sh to automate adding new users/groups. don't use admin login for it aggregated account, use something not parsible like "hd7igkt7i8g" as login, allow connect with ssh-key only (don't allow passwords).
Click to expand...

I tried your approach, but unfortunately is not working great.
Every directory from the user has 711 permission by default.
So the group is not allowed to read the directory, only the user or root.
I could change the permissions to 751, but this is not ideal, because some DA scripts resets this to 711.
 
You must log in or register to reply here.
Back
Top