[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] PAM: su to non-root accounts



Hi, I am trying to set up my system to restrict su access to specific accounts
to members of groups that correlate.
For example, only members of root_members can su to root; only members of
web_members can su to user web, etc.


The most popular way of doing this in Linux seems to be to set up /etc/pam.d/su
with something like the following:

auth sufficient /lib/security/pam_stack.so service=root-members
auth sufficient /lib/security/pam_stack.so service=web-members
auth required /lib/security/pam_deny.so 

The /etc/pam.d/root-members and /etc/pam.d/web-members would then look like
this:

# root-members
auth required /lib/security/pam_wheel.so use_uid group=root_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/membergroups/root 

# web-members
auth required /lib/security/pam_wheel.so use_uid group=web_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/membergroups/web 

And /etc/membergroups/web and /etc/membergroups/root contain just the username
"web" and "root" respectively.

Thus, in order to use the su command you must be in a group that can su to a
user, and you must be trying to su to the correct user associated with that
group.  If those conditions are met, then these are sufficient for
authentication.

My question is this: SuSE Linux does not have the pam_stack.so module.  Is there
a "workalike" module I could use?  Or in the absence of that, does anyone have
any suggestions as to how I might accomplish the same thing in a different
fashion.

Thanks,
Paul

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here