Was there any update on adding ability to use sesu? Note that in our case
sesu does NOT prompt for the 'to become' user. Here is how we use it:
1) login under my personal user id
2) run "sesu - <to_become_user_id>"
3) ... it will NOT ask for any password and will directly log me under the
to_become_user_id
FYI here is the the output of sesu --help:
CA ControlMinder sesu v12.80.0.1494 - Surrogate utility
Copyright (c) 2013 CA. All rights reserved.
Usage: `sesu [-] [name] [-l] [-n] [-s shell] [-c command]`
-h Displays this help and exits.
<name> Changes ID associated with session to that of
<name> user.
- <name> Same but sets environment like the target user.
-l shell will be a login shell. This option is
currently supported only on Linux
-s Next argument is a shell that will be used instead
of the user's default shell. This option is currently supported only on
Linux
-c Next argument is a command.
-n Do not prompt for invoker password.
NOTE: If the security authorization server is not found, system
/bin/su will be used instead.
and here is a bit of more info from man page:
NAME
sesu - Surrogate utility
SYNOPSIS
sesu [ - ] [ options ] [ name ]
DESCRIPTION
The sesu utility provides a transparent su command that does not
require the user
to provide the password of the substituted user. The authorization
process is based
solely on AccessControl access rules as defined in class SURROGATE.
... hope that helps a bit :)
On Tuesday, September 9, 2014 at 6:45:02 PM UTC+2, Michael DeHaan wrote:
>
> excellent!
>
>
>
> On Tue, Sep 9, 2014 at 3:06 AM, Edgars <[email protected] <javascript:>>
> wrote:
>
>> Well, sesu supports "-" flag and "-c" flag just like su. Those two are
>> most important I guess. The main difference is that su requires root
>> password when you switch to root while sesu requires user password, just
>> like sudo. But I don't think that this should be problem.
>>
>> Edgars
>>
>> pirmdiena, 2014. gada 8. septembris 15:19:13 UTC+2, Michael DeHaan
>> rakstīja:
>>>
>>> I think so. (Would be open to contributions, but we could also do it
>>> ourself if needed).
>>>
>>> Is it mostly flag compatible?
>>>
>>> The one thing I want to fix with sudo_exe is it should be settable per
>>> inventory host, so we'll probably do that at the same time too, and leave
>>> the ansible.cfg setting for a default.
>>>
>>> --Michael
>>>
>>> On Mon, Sep 8, 2014 at 8:53 AM, Edgars <[email protected]> wrote:
>>>
>>>> Hi
>>>>
>>>> I see that Ansible has sudo_exe feature for alternative sudo
>>>> implementations. Would it be possible to implement also su_exe for
>>>> alternative su implementations? In particular I am interested in CA
>>>> AccessControl sesu utility: https://support.ca.
>>>> com/cadocs/0/CA%20Access%20Control%2012%205%205-ENU/
>>>> Bookshelf_Files/HTML/1358981.html
>>>>
>>>> Thanks
>>>> Edgars
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To post to this group, send email to [email protected].
>>>> To view this discussion on the web visit https://groups.google.com/d/
>>>> msgid/ansible-project/0a324e10-4e7c-4454-83fa-
>>>> ac5d8ef88351%40googlegroups.com
>>>> <https://groups.google.com/d/msgid/ansible-project/0a324e10-4e7c-4454-83fa-ac5d8ef88351%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/61716da9-5456-4cd7-b01b-bd7145551b4c%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/61716da9-5456-4cd7-b01b-bd7145551b4c%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ecccd30b-94b0-446b-a604-c695d9cd07a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
