Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
Re: [suse-security] PAM: su to non-root accounts
  • From: trainier@xxxxxxxxxx
  • Date: Fri, 24 Mar 2006 13:48:17 -0500
  • Message-id: <OFE8CB956D.88093A8B-ON8525713B.0066E506-8525713B.00674BE5@xxxxxxxxxxxxxxx>
discip@xxxxxxx wrote on 03/24/2006 01:22:28 PM:

> Hi, I am trying to set up my system to restrict su access to specific
> to members of groups that correlate.
> For example, only members of root_members can su to root; only members
> web_members can su to user web, etc.
> The most popular way of doing this in Linux seems to be to set up
> /etc/pam.d/su
> with something like the following:
> auth sufficient /lib/security/ service=root-members
> auth sufficient /lib/security/ service=web-members
> auth required /lib/security/

I disagree. I would get rid of any access to su.
The reason is, su requires you to know the password for the user you're
switching to.
Also, commands are not logged when you su to another user.

Enter sudo. sudo was designed to address these issues. You can set up
sudo to run commands as any user, using your own password. Also, any
commands that
you execute with sudo, are logged. This does not happen with su.

I seriously recommend using sudo as opposed to su.

> The /etc/pam.d/root-members and /etc/pam.d/web-members would then look
> this:
> # root-members
> auth required /lib/security/ use_uid group=root_members
> auth required /lib/security/ item=user sense=allow
> file=/etc/membergroups/root
> # web-members
> auth required /lib/security/ use_uid group=web_members
> auth required /lib/security/ item=user sense=allow
> file=/etc/membergroups/web
> And /etc/membergroups/web and /etc/membergroups/root contain just the
> "web" and "root" respectively.
> Thus, in order to use the su command you must be in a group that can su
to a
> user, and you must be trying to su to the correct user associated with
> group. If those conditions are met, then these are sufficient for
> authentication.
> My question is this: SuSE Linux does not have the
> module. Is there
> a "workalike" module I could use? Or in the absence of that, does
anyone have
> any suggestions as to how I might accomplish the same thing in a
> fashion.
> Thanks,
> Paul
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here

< Previous Next >
This Thread