Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
Re: [suse-security] PAM: su to non-root accounts
  • From: trainier@xxxxxxxxxx
  • Date: Fri, 24 Mar 2006 13:48:17 -0500
  • Message-id: <OFE8CB956D.88093A8B-ON8525713B.0066E506-8525713B.00674BE5@xxxxxxxxxxxxxxx>
discip@xxxxxxx wrote on 03/24/2006 01:22:28 PM:

>
> Hi, I am trying to set up my system to restrict su access to specific
accounts
> to members of groups that correlate.
> For example, only members of root_members can su to root; only members
of
> web_members can su to user web, etc.
>
>
> The most popular way of doing this in Linux seems to be to set up
> /etc/pam.d/su
> with something like the following:
>
> auth sufficient /lib/security/pam_stack.so service=root-members
> auth sufficient /lib/security/pam_stack.so service=web-members
> auth required /lib/security/pam_deny.so

I disagree. I would get rid of any access to su.
The reason is, su requires you to know the password for the user you're
switching to.
Also, commands are not logged when you su to another user.

Enter sudo. sudo was designed to address these issues. You can set up
sudo to run commands as any user, using your own password. Also, any
commands that
you execute with sudo, are logged. This does not happen with su.

I seriously recommend using sudo as opposed to su.

> The /etc/pam.d/root-members and /etc/pam.d/web-members would then look
like
> this:
>
> # root-members
> auth required /lib/security/pam_wheel.so use_uid group=root_members
> auth required /lib/security/pam_listfile.so item=user sense=allow
onerr=fail
> file=/etc/membergroups/root
>
> # web-members
> auth required /lib/security/pam_wheel.so use_uid group=web_members
> auth required /lib/security/pam_listfile.so item=user sense=allow
onerr=fail
> file=/etc/membergroups/web
>
> And /etc/membergroups/web and /etc/membergroups/root contain just the
username
> "web" and "root" respectively.
>
> Thus, in order to use the su command you must be in a group that can su
to a
> user, and you must be trying to su to the correct user associated with
that
> group. If those conditions are met, then these are sufficient for
> authentication.
>
> My question is this: SuSE Linux does not have the pam_stack.so
> module. Is there
> a "workalike" module I could use? Or in the absence of that, does
anyone have
> any suggestions as to how I might accomplish the same thing in a
different
> fashion.
>
> Thanks,
> Paul
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


< Previous Next >
This Thread
References