Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
PAM: su to non-root accounts
  • From: discip@xxxxxxx
  • Date: Fri, 24 Mar 2006 13:22:28 -0500
  • Message-id: <98D8585D641AFB4488D1AE0E1B7D33FD028F3346@xxxxxxxxxxxxxxxxxxxxxxxx>

Hi, I am trying to set up my system to restrict su access to specific accounts
to members of groups that correlate.
For example, only members of root_members can su to root; only members of
web_members can su to user web, etc.


The most popular way of doing this in Linux seems to be to set up /etc/pam.d/su
with something like the following:

auth sufficient /lib/security/pam_stack.so service=root-members
auth sufficient /lib/security/pam_stack.so service=web-members
auth required /lib/security/pam_deny.so

The /etc/pam.d/root-members and /etc/pam.d/web-members would then look like
this:

# root-members
auth required /lib/security/pam_wheel.so use_uid group=root_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/membergroups/root

# web-members
auth required /lib/security/pam_wheel.so use_uid group=web_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/membergroups/web

And /etc/membergroups/web and /etc/membergroups/root contain just the username
"web" and "root" respectively.

Thus, in order to use the su command you must be in a group that can su to a
user, and you must be trying to su to the correct user associated with that
group. If those conditions are met, then these are sufficient for
authentication.

My question is this: SuSE Linux does not have the pam_stack.so module. Is there
a "workalike" module I could use? Or in the absence of that, does anyone have
any suggestions as to how I might accomplish the same thing in a different
fashion.

Thanks,
Paul

< Previous Next >
This Thread
Follow Ups