Hi, I am trying to set up my system to restrict su access to specific accounts to members of groups that correlate. For example, only members of root_members can su to root; only members of web_members can su to user web, etc. The most popular way of doing this in Linux seems to be to set up /etc/pam.d/su with something like the following: auth sufficient /lib/security/pam_stack.so service=root-members auth sufficient /lib/security/pam_stack.so service=web-members auth required /lib/security/pam_deny.so The /etc/pam.d/root-members and /etc/pam.d/web-members would then look like this: # root-members auth required /lib/security/pam_wheel.so use_uid group=root_members auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/root # web-members auth required /lib/security/pam_wheel.so use_uid group=web_members auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/web And /etc/membergroups/web and /etc/membergroups/root contain just the username "web" and "root" respectively. Thus, in order to use the su command you must be in a group that can su to a user, and you must be trying to su to the correct user associated with that group. If those conditions are met, then these are sufficient for authentication. My question is this: SuSE Linux does not have the pam_stack.so module. Is there a "workalike" module I could use? Or in the absence of that, does anyone have any suggestions as to how I might accomplish the same thing in a different fashion. Thanks, Paul
discip@pjm.com wrote on 03/24/2006 01:22:28 PM:
Hi, I am trying to set up my system to restrict su access to specific
accounts
to members of groups that correlate. For example, only members of root_members can su to root; only members of web_members can su to user web, etc.
The most popular way of doing this in Linux seems to be to set up /etc/pam.d/su with something like the following:
auth sufficient /lib/security/pam_stack.so service=root-members auth sufficient /lib/security/pam_stack.so service=web-members auth required /lib/security/pam_deny.so
The /etc/pam.d/root-members and /etc/pam.d/web-members would then look
this:
# root-members auth required /lib/security/pam_wheel.so use_uid group=root_members auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/root
# web-members auth required /lib/security/pam_wheel.so use_uid group=web_members auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/web
And /etc/membergroups/web and /etc/membergroups/root contain just the username "web" and "root" respectively.
Thus, in order to use the su command you must be in a group that can su to a user, and you must be trying to su to the correct user associated with
I disagree. I would get rid of any access to su. The reason is, su requires you to know the password for the user you're switching to. Also, commands are not logged when you su to another user. Enter sudo. sudo was designed to address these issues. You can set up sudo to run commands as any user, using your own password. Also, any commands that you execute with sudo, are logged. This does not happen with su. I seriously recommend using sudo as opposed to su. like that
group. If those conditions are met, then these are sufficient for authentication.
My question is this: SuSE Linux does not have the pam_stack.so module. Is there a "workalike" module I could use? Or in the absence of that, does anyone have any suggestions as to how I might accomplish the same thing in a different fashion.
Thanks, Paul
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
discip@pjm.com
-
trainier@kalsec.com