Confused on sudo vs su and running scripts

Question

When I do sudo su - john I become user john without asking for a password.
But when I do: sudo su - john /usr/share/script_to_run.pl I am asked for a password. Same also for sudo -u john /usr/share/script_to_run.pl

Why? What am I doing wrong here?

Answer 1

"sudo" was designed to give all the functionality of "su", but not require them to use the other user's password. The answers you need are within the /etc/sudoers file, editable with the "sudo visudo" command. here you will find that you can make your user not require a password:

cratylus ALL=(ALL)       NOPASSWD: ALL

thence submit queries with

sudo -u cratylus the statement 

note: don't quote the statement - you only do this for the "su -c" command.

Answer 2

Now, first of all, the - means that you want a login shell. The first statement means that you want to, as root (hence the sudo), want to make it appear as you logged in as john. Somewhere it is configured that the user you are currently logged in as has the rights to do sudo without using a password.

What happens in the first instance is that you execute one command su - john (meaning "log me in as john), and you do that as root (since you put sudo first). Your current user has sudo-without-password-rights, and root has the right to become any user.

The second try is wrong. You can't use su to execute a command in that way, and when you want su to execute a single command, I see no reason to make it a login shell.

In the third option, you (as the currently logged in user) want to "become" john for one command. For that, you will need johns password. (When you do this as root, however, you don't need the password.)

To make it work you could probably try

sudo su --command="/usr/share/script_to_run.pl" john

or maybe even the more exotic looking

sudo sudo -u john /usr/share/script_to_run.pl