LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-17-2011, 01:51 AM   #1
bvz
LQ Newbie
 
Registered: Sep 2011
Posts: 28

Rep: Reputation: Disabled
Basic question about the PAM su file


I am trying to limit su capability to two groups using the PAM modules (I know, I know. Saying "PAM modules" is redundant)

The groups are: admin and sugrp

Editing /etc/pam.d/su, right after the line that says:

auth sufficient pam_rootok.so

I add:

auth sufficient pam_wheel.so group=sugrp
auth required pam_wheel.so group=admin


But this prevents anyone from using 'su', not just users who are not in either group. Any clues as to what I am doing wrong?
 
Old 09-17-2011, 12:25 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I don't see anything in the pam_wheel(8) documentation that indicates you can stack tests in that way. You can try setting both lines as sufficient but I do not think that will enforce the requirement correctly.

Might want to just pick a single group for the privilege and keep it that way.
 
Old 09-18-2011, 02:08 AM   #3
bvz
LQ Newbie
 
Registered: Sep 2011
Posts: 28

Original Poster
Rep: Reputation: Disabled
Thanks for the quick reply.

I never thought of it that way. I assumed that each call to pam_wheel.so (or any plugin) was like a function call. You could call it as much as you wanted and it would just return a result.

I tried setting them both to sufficient as you suggested, but as you guessed, it did not work. Everyone can su then.

My original intention is to have a only single user be able to ssh into the box (by editing the sshd_config file and putting their name into the AllowUsers line). This user would be a regular user (among several who have accounts on the machine) who does not have admin privileges. I want this user to be able to su to another account that has sudo privileges. I don't want any other "regular" users to even have an opportunity to try to su for paranoid security reasons. I thought I would use PAM to control this but I may be trying in the wrong place. Another poster here suggested I edit the sudoers file to accomplish this but I couldn't figure out how to deny su privileges to all the other users.

Maybe I am being unnecessarily complicated here? Should I even have this two step process (ssh in as an unprivileged user and then su to an admin)? I'm just worried that one of the other users will have crappy password etiquette and then an unauthorized person could try to su up to admin.

That said... if I limit ssh to a single user (even an admin user) and I am not running any of the LAMP software (only thing running is netatalk, avahi and ssh), maybe I am being unnecessarily paranoid. Maybe I should just focus on making the firewall very tight. Don't know. Any opinions on this would be welcome.
 
Old 09-18-2011, 01:00 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by bvz
I never thought of it that way. I assumed that each call to pam_wheel.so (or any plugin) was like a function call. You could call it as much as you wanted and it would just return a result.
The conceptual problem is you need for either group to be required, and stacking the tests means the result can never be true (because it will read as both groups). As you discovered, setting both to sufficient does not get to the desired result either. Unfortunately (AFAIK), the module does not accept a list of groups on a single test.

Quote:
Originally Posted by bvz
My original intention is to have a only single user be able to ssh into the box (by editing the sshd_config file and putting their name into the AllowUsers line).
Good idea.

Quote:
Originally Posted by bvz
Should I even have this two step process (ssh in as an unprivileged user and then su to an admin)? I'm just worried that one of the other users will have crappy password etiquette and then an unauthorized person could try to su up to admin.
IMO, you're better off nipping this problem in the bud by enforcing strong passwords system wide. The pam_passwdqc module is great for that.

A regular user trying to guess root's passphrase of - "Tim:: went to the market and the monkey stabbed him" - is going to have a difficult time. And you're going to see the failed attempts in the logs. (If you're not watching log reports, now is the time to start doing so.)

Last edited by anomie; 09-18-2011 at 01:04 PM.
 
Old 09-18-2011, 04:22 PM   #5
bvz
LQ Newbie
 
Registered: Sep 2011
Posts: 28

Original Poster
Rep: Reputation: Disabled
anomie,

Thanks for the reply. Everything you said makes sense. I'll skip trying to limit su and make sure that everyone has a decent password like you suggest (using pam_passwdqc). I'm new to setting up a server, and even though this is just a small one with limited "value" regarding the data on it, I am pretty paranoid.

My intention is to lock it down to the absolute minimum amount of accessibility outside my local network. So a single user will be allowed to ssh (on a non-standard port), a different user will be allowed to ftp (via vsftpd and a virtual user account) and everyone else is allowed access only via the netatalk module from the local network (enforced via iptables). I also plan on installing port-knocking software (even though that is security via obscurity, the added obscurity can only help, right?)

Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
basic html question - download link to files on my webpage question Davno Linux - Server 5 12-25-2009 08:24 AM
Basic bash script question re: file size or # of lines in a file the_fornicator Programming 6 09-03-2009 10:41 AM
Basic PAM configuration tom_sawyer70 Linux - Security 3 07-08-2009 09:16 AM
Basic C++ compiler/preprocessor question: how to include file as data? tomva Programming 7 08-25-2008 02:16 PM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-23-2004 12:07 AM


All times are GMT -5. The time now is 09:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration