Gero Schmidt-Kärst wrote:
I guess there is a easy possibility to allow the command 'su' only to a small group of users.
You can also configure PAM (plugable authentication modules) for this purpose. The following configuration of /etc/pam.d/su is not only convenient, because it does not prompt for a password. It may be also more secure: When you use a ssh client with X11-Forwarding, the other side can also try to listen to the passwords that you enter in an other window on the same Xserver. You should also never su from a less secure account to a more secure one, because the su command may have been replaced by a trojan. This configuration does not allow that in the first place, and thus enforces good security practice. As you are never prompted for a password, a trojaned "su" can also not trick you to enter one so easily. /etc/pam.d/su: #%PAM-1.0 # This configuration never prompts for a password. # SuSE-Default: auth sufficient pam_rootok.so # The users (usually only one) in suuser_list.txt are allowed to switch to any user. # These accounts should only be used for system maintainance. (For instance you don't want to start KDE directly as root). auth sufficient pam_listfile.so item=ruser sense=allow file=/etc/pam.d/suuser_list.txt onerr=fail # The users (usually only one) in suuser_list2.txt can only switch to users in suuser_list2_to.txt. # This allows one to set up an extra account ("surfer") for web browsing. So in case there is a security # hole in the browser, the attacker does not get access sensitive data (like private gpg or ssh keys). # Konqueror can be started like this: sux -c "cd; /opt/kde3/bin/konqueror" -l surfer auth required pam_listfile.so item=ruser sense=allow file=/etc/pam.d/suuser_list2.txt onerr=fail auth sufficient pam_listfile.so item=user sense=allow file=/etc/pam.d/suuser_list2_to.txt onerr=fail # (I wonder, how to extend the scheme to more pairs of suuser_list?.txt, suuser_list?_to.txt.) # no other uses of su are allowed: auth required pam_deny.so # SuSE-Defaults: account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok #session required pam_homecheck.so session required pam_unix2.so debug # none or trace