LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Suse/Novell
User Name
Password
Suse/Novell This Forum is for the discussion of Suse Linux.

Notices

Reply
 
Search this Thread
Old 03-14-2005, 12:33 PM   #1
roadin
LQ Newbie
 
Registered: Mar 2005
Posts: 3

Rep: Reputation: 0
Restricting su to certain users


I am running SuSE 9.2 based server with PAM activated. All my logins (other than the console) are via ssh.

I have got things set up so that root can only login on the console, but once someone is logged in I want to be able to restrict their use of the su command.

At present anyone can try to su (to root) and have a "crack" at guessing the password.

How can I ensure that only users I want get a password prompt and all others are told they cannot su to root?
 
Old 03-14-2005, 12:38 PM   #2
Valhalla
Member
 
Registered: Dec 2004
Location: Atlanta
Distribution: Gentoo 2005.1, Ubuntu 5.10
Posts: 267

Rep: Reputation: 30
I'm not sure about the groups on SuSe, but on Gentoo, there is a "wheel" group that users hvae to be part of in order to use su. I suppose you could either look into that, or, make your own equivalent, and make the su command owned by ur wheel group.
 
Old 03-14-2005, 12:41 PM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
there are a number of ways to control access. su itself can use the /etc/suauth file, which contains an arbitrary list of users and rights:
Code:
       # sample /etc/suauth file
       #
       # A couple of privileged usernames may
       # su to root with their own password.
       #
       root:chris,birddog:OWNPASS
       #
       # Anyone else may not su to root unless in
       # group wheel. This is how BSD does things.
       #
       root:ALL EXCEPT GROUP wheel:DENY
       #
       # Perhaps terry and birddog are accounts
       # owned by the same person.
       # Access can be arranged between them
       # with no password.
       #
       terry:birddog:NOPASS
       birddog:terry:NOPASS
       #
this is, as i said, an arbitrary listm, and explicitly defined. what you should possibly look at first is some forms of implicit access. in /etc/pam.s/su you have the pam level access to su, and in there you should have a line like:
Code:
auth       required     /lib/security/pam_wheel.so use_uid
this states that in order to even begin using su, the user must be a member of the "wheel" group. so you don't manually provide them su access, you simply add them to an existing group, and things fall into place. I only ended up researching this in general as the password-less suing for wheel users stopped working, and so i ended up ignoring pam and using the NOPASS option in suauth, which feels a lot more of a cheap hack that following things through in pam.
 
Old 03-15-2005, 09:11 AM   #4
roadin
LQ Newbie
 
Registered: Mar 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the posts - I was aware of wheel, but was not aware that PAM supported it. I how have

auth required pam_wheel.so

in my su script.

However I did not add "use_uid" at the end of the pam_wheel.so line, as the docs say this is insecure - someone could su to a wheel group member then su to root if they had both passwords.

It does not quite do what I wanted, in that it still permits users to have a stab at the password, but it does seem to always return incorrect password if the user is not in group wheel which is near enough (as a user would not be able to tell if they had the root pasword or not).

One small trap I fell into by the way when trying this out that others may wish to be aware of, the group file is only looked at during login, if you add a user to wheel on the fly they will still not be able to su until they log out and in again.

Thanks to everyone for their help.

Last edited by roadin; 03-16-2005 at 08:29 AM.
 
Old 03-15-2005, 01:17 PM   #5
roadin
LQ Newbie
 
Registered: Mar 2005
Posts: 3

Original Poster
Rep: Reputation: 0


[I have deleted the original text as it was no longer relevent]

Last edited by roadin; 03-16-2005 at 08:56 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting users to their home folder supervillan Linux - Newbie 2 04-08-2009 12:47 PM
Restricting users? sdouble Linux - Newbie 5 07-05-2006 07:48 PM
Restricting FTP Users mtellin Linux - Networking 1 02-28-2002 09:54 PM
Wu-FTP / Restricting users to one directory DJFau Linux - Networking 0 12-22-2001 12:42 PM
restricting users to one folder flip-x Linux - Security 0 02-18-2001 06:37 PM


All times are GMT -5. The time now is 07:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration