discippjm.com
Date: Fri Mar 24 2006 - 12:22:28 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, I am trying to set up my system to restrict su access to specific accounts
to members of groups that correlate.
For example, only members of root_members can su to root; only members of
web_members can su to user web, etc.

The most popular way of doing this in Linux seems to be to set up /etc/pam.d/su
with something like the following:

auth sufficient /lib/security/pam_stack.so service=root-members
auth sufficient /lib/security/pam_stack.so service=web-members
auth required /lib/security/pam_deny.so

The /etc/pam.d/root-members and /etc/pam.d/web-members would then look like
this:

# root-members
auth required /lib/security/pam_wheel.so use_uid group=root_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/membergroups/root

# web-members
auth required /lib/security/pam_wheel.so use_uid group=web_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/membergroups/web

And /etc/membergroups/web and /etc/membergroups/root contain just the username
"web" and "root" respectively.

Thus, in order to use the su command you must be in a group that can su to a
user, and you must be trying to su to the correct user associated with that
group. If those conditions are met, then these are sufficient for
authentication.

My question is this: SuSE Linux does not have the pam_stack.so module. Is there
a "workalike" module I could use? Or in the absence of that, does anyone have
any suggestions as to how I might accomplish the same thing in a different
fashion.

Thanks,
Paul

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]