[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] PAM: su to non-root accounts



discip@xxxxxxx wrote on 03/24/2006 01:22:28 PM:

> 
> Hi, I am trying to set up my system to restrict su access to specific 
accounts
> to members of groups that correlate.
> For example, only members of root_members can su to root; only members 
of
> web_members can su to user web, etc.
> 
> 
> The most popular way of doing this in Linux seems to be to set up 
> /etc/pam.d/su
> with something like the following:
> 
> auth sufficient /lib/security/pam_stack.so service=root-members
> auth sufficient /lib/security/pam_stack.so service=web-members
> auth required /lib/security/pam_deny.so 

I disagree.  I would get rid of any access to su. 
The reason is, su requires you to know the password for the user you're 
switching to.
Also, commands are not logged when you su to another user.

Enter sudo.  sudo was designed to address these issues.  You can set up
sudo to run commands as any user, using your own password.  Also, any 
commands that
you execute with sudo, are logged.  This does not happen with su.

I seriously recommend using sudo as opposed to su.

> The /etc/pam.d/root-members and /etc/pam.d/web-members would then look 
like
> this:
> 
> # root-members
> auth required /lib/security/pam_wheel.so use_uid group=root_members
> auth required /lib/security/pam_listfile.so item=user sense=allow 
onerr=fail
> file=/etc/membergroups/root 
> 
> # web-members
> auth required /lib/security/pam_wheel.so use_uid group=web_members
> auth required /lib/security/pam_listfile.so item=user sense=allow 
onerr=fail
> file=/etc/membergroups/web 
> 
> And /etc/membergroups/web and /etc/membergroups/root contain just the 
username
> "web" and "root" respectively.
> 
> Thus, in order to use the su command you must be in a group that can su 
to a
> user, and you must be trying to su to the correct user associated with 
that
> group.  If those conditions are met, then these are sufficient for
> authentication.
> 
> My question is this: SuSE Linux does not have the pam_stack.so 
> module.  Is there
> a "workalike" module I could use?  Or in the absence of that, does 
anyone have
> any suggestions as to how I might accomplish the same thing in a 
different
> fashion.
> 
> Thanks,
> Paul
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here