For instance, I'd like to allow Tom the DBA to su to the oracle user, but not to the tomcat user or root.
I needed to do this to a system recently and had a hard time finding my notes on the alternate setup i used years ago that also allowed the syntax su <user>. In my situation I needed to allow multiple users to su to a specific user.
Create a group using addgroup <groupName> that other users will be able to su to without a password. Then add that group to each user that you want to be able to su to that user without a password:usermod -a -G <groupName> <userName> (or usermod -a -G oracle tom). The group changes might not take affect until next login.
Note: In your case, you already have the group because oracle group would have been created when you made the oracle user with adduser oracle.
Now edit /etc/pam.d/su and under the following:
# This allows root to su without passwords (normal operation)auth sufficient pam_rootok.so..add auth rule lines so the section looks like this:
# This allows root to su without passwords (normal operation)auth sufficient pam_rootok.soauth [success=ignore default=1] pam_succeed_if.so user = <groupName>auth sufficient pam_succeed_if.so use_uid user ingroup <groupName>Replace <groupName> with oracle in this case. This will allow any user that is part of the <groupName> to su <groupName>
Now tom can su oracle and if you need to give other users the same access, add them to oracle group.
similar question here
