Do I need to specify the user:group in sudoers to impersonate other users

[nooneknows2mao]

I was trying to limit the command a specific user can execute in the sudoers file, say I have something like this:

dummy myserver=(ALL:ALL) /usr/sbin/reboot,/usr/sbin/shutdown

My dummy user is only allowed to reboot or shut down the system. I intentionally allow the dummy user to impersonate other users, but anytime I try using the -u option of the sudo e.g sudo -u anotheruser whoami

I get the following error:

Sorry, user dummy is not allowed to execute '/usr/bin/whoami' as anotheruser on myserver.

I understand I can specifically call out the user and group I want to impersonate in the sudoers, but I am curious as to why the ALL:ALL doesn't work

I would greatly appreciate your answers.

 

[nooneknows2mao]

Solved: To impersonate any other user, I would have to specify the allowed commands:
e.g dummy ALL=(ALL:ALL) /usr/bin/whoami

This way, the dummy user would be able to execute that command for any other user.

 

[Rob]

Solved: To impersonate any other user, I would have to specify the allowed commands:
e.g dummy ALL=(ALL:ALL) /usr/bin/whoami

This way, the dummy user would be able to execute that command for any other user.

Yep - that's what I was going to say.. you want to make sure you put all of the commands in there that you want them to be able to run.