Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: allow 'su' to limited users
  • From: Thomas Leske <leskets@xxxxxx>
  • Date: Thu, 11 Mar 2004 15:18:09 +0100
  • Message-id: <40507521.6070809@xxxxxx>
Gero Schmidt-Kärst wrote:
> I guess there is a easy possibility to allow the command 'su' only to a
> small group of users.

You can also configure PAM (plugable authentication modules) for this purpose.
The following configuration of /etc/pam.d/su is not only convenient, because it
does not prompt for a password. It may be also more secure:
When you use a ssh client with X11-Forwarding, the other side can also try to
listen to the passwords that you enter in an other window on the same Xserver.
You should also never su from a less secure account to a more secure one,
because the su command may have been replaced by a trojan. This configuration
does not allow that in the first place, and thus enforces good security practice.
As you are never prompted for a password, a trojaned "su" can also not trick
you to enter one so easily.

/etc/pam.d/su:
#%PAM-1.0
# This configuration never prompts for a password.

# SuSE-Default:
auth sufficient pam_rootok.so

# The users (usually only one) in suuser_list.txt are allowed to switch to any user.
# These accounts should only be used for system maintainance. (For instance you don't want to start KDE directly as root).
auth sufficient pam_listfile.so item=ruser sense=allow file=/etc/pam.d/suuser_list.txt onerr=fail

# The users (usually only one) in suuser_list2.txt can only switch to users in suuser_list2_to.txt.
# This allows one to set up an extra account ("surfer") for web browsing. So in case there is a security
# hole in the browser, the attacker does not get access sensitive data (like private gpg or ssh keys).
# Konqueror can be started like this: sux -c "cd; /opt/kde3/bin/konqueror" -l surfer
auth required pam_listfile.so item=ruser sense=allow file=/etc/pam.d/suuser_list2.txt onerr=fail
auth sufficient pam_listfile.so item=user sense=allow file=/etc/pam.d/suuser_list2_to.txt onerr=fail
# (I wonder, how to extend the scheme to more pairs of suuser_list?.txt, suuser_list?_to.txt.)

# no other uses of su are allowed:
auth required pam_deny.so

# SuSE-Defaults:
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
#session required pam_homecheck.so
session required pam_unix2.so debug # none or trace


< Previous Next >