Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
PAM: su to non-root accounts
  • From: discip@xxxxxxx
  • Date: Fri, 24 Mar 2006 13:22:28 -0500
  • Message-id: <98D8585D641AFB4488D1AE0E1B7D33FD028F3346@xxxxxxxxxxxxxxxxxxxxxxxx>

Hi, I am trying to set up my system to restrict su access to specific accounts
to members of groups that correlate.
For example, only members of root_members can su to root; only members of
web_members can su to user web, etc.

The most popular way of doing this in Linux seems to be to set up /etc/pam.d/su
with something like the following:

auth sufficient /lib/security/ service=root-members
auth sufficient /lib/security/ service=web-members
auth required /lib/security/

The /etc/pam.d/root-members and /etc/pam.d/web-members would then look like

# root-members
auth required /lib/security/ use_uid group=root_members
auth required /lib/security/ item=user sense=allow onerr=fail

# web-members
auth required /lib/security/ use_uid group=web_members
auth required /lib/security/ item=user sense=allow onerr=fail

And /etc/membergroups/web and /etc/membergroups/root contain just the username
"web" and "root" respectively.

Thus, in order to use the su command you must be in a group that can su to a
user, and you must be trying to su to the correct user associated with that
group. If those conditions are met, then these are sufficient for

My question is this: SuSE Linux does not have the module. Is there
a "workalike" module I could use? Or in the absence of that, does anyone have
any suggestions as to how I might accomplish the same thing in a different


< Previous Next >
This Thread
Follow Ups