User Impersonation on UNIX/Linux Using sudo (or su)

For agents running on UNIX/Linux platforms, when you configure a process step you can provide the agent(s) with the user impersonation capability. When a process step that is impersonation-configured runs, the sudo (or su) command runs the step as the impersonated user.

Process steps can be considered individual shells; the sudo (or su) command enables a user to start a shell as another user.

Note: Each step that needs user impersonation must be configured independently. For more information about creating process steps, see Process Editor.

To configure impersonation using sudo:

Supply the username required by the target host.
Before sudo can be used:
1. Password Required. Impersonation privileges must be defined in the /etc/sudoers file along with grant priviledges to run scripts from the agent .temp folder. For example:
```
User1<>ALL=(User2)/home/User1/agent/var/temp/*
```
  Grants User1 the rights to impersonate User2 to run plug-in steps as User2.
```
Defaults:X!requiretty
 X ALL=(Y) 
```
  where X and Y are user names, and user X can run any command as user Y.
2. No Password Required. Impersonation privileges must be defined in the /etc/sudoers file. For example:
```
 Defaults:X!requiretty
 X ALL=(Y) NOPASSWD: ALL 
```
  where X and Y are user names, and user X can run any command as user Y without supplying a password.

When you create a process step, the sudo option is available for you to select. The sudo option is activated by default for plug-in steps. When the sudo check box is unchecked, the su option is active. However, the su option only applies to agents starting as root. Otherwise, su has no effect on the step or process. su can be used without configuring the sudoers file.

su and sudo maintain a record in the system logs of all of their activity.

For more information about su/sudo see the UNIX/Linux documentation.