Basic question about the PAM su file
 

I am trying to limit su capability to two groups using the PAM modules (I know, I know. Saying "PAM modules" is redundant)

The groups are: admin and sugrp

Editing /etc/pam.d/su, right after the line that says:

auth sufficient pam_rootok.so

I add:

auth sufficient pam_wheel.so group=sugrp
auth required pam_wheel.so group=admin


But this prevents anyone from using 'su', not just users who are not in either group. Any clues as to what I am doing wrong?

I don't see anything in the pam_wheel(8) documentation that indicates you can stack tests in that way. You can try setting both lines as sufficient but I do not think that will enforce the requirement correctly.

Might want to just pick a single group for the privilege and keep it that way.

Thanks for the quick reply.

I never thought of it that way. I assumed that each call to pam_wheel.so (or any plugin) was like a function call. You could call it as much as you wanted and it would just return a result.

I tried setting them both to sufficient as you suggested, but as you guessed, it did not work. Everyone can su then.

My original intention is to have a only single user be able to ssh into the box (by editing the sshd_config file and putting their name into the AllowUsers line). This user would be a regular user (among several who have accounts on the machine) who does not have admin privileges. I want this user to be able to su to another account that has sudo privileges. I don't want any other "regular" users to even have an opportunity to try to su for paranoid security reasons. I thought I would use PAM to control this but I may be trying in the wrong place. Another poster here suggested I edit the sudoers file to accomplish this but I couldn't figure out how to deny su privileges to all the other users.

Maybe I am being unnecessarily complicated here? Should I even have this two step process (ssh in as an unprivileged user and then su to an admin)? I'm just worried that one of the other users will have crappy password etiquette and then an unauthorized person could try to su up to admin.

That said... if I limit ssh to a single user (even an admin user) and I am not running any of the LAMP software (only thing running is netatalk, avahi and ssh), maybe I am being unnecessarily paranoid. Maybe I should just focus on making the firewall very tight. Don't know. Any opinions on this would be welcome.

The conceptual problem is you need for either group to be required, and stacking the tests means the result can never be true (because it will read as both groups). As you discovered, setting both to sufficient does not get to the desired result either. Unfortunately (AFAIK), the module does not accept a list of groups on a single test.

Good idea.

IMO, you're better off nipping this problem in the bud by enforcing strong passwords system wide. The pam_passwdqc module is great for that.

A regular user trying to guess root's passphrase of - "Tim:: went to the market and the monkey stabbed him" - is going to have a difficult time. And you're going to see the failed attempts in the logs. (If you're not watching log reports, now is the time to start doing so.)

anomie,

Thanks for the reply. Everything you said makes sense. I'll skip trying to limit su and make sure that everyone has a decent password like you suggest (using pam_passwdqc). I'm new to setting up a server, and even though this is just a small one with limited "value" regarding the data on it, I am pretty paranoid.

My intention is to lock it down to the absolute minimum amount of accessibility outside my local network. So a single user will be allowed to ssh (on a non-standard port), a different user will be allowed to ftp (via vsftpd and a virtual user account) and everyone else is allowed access only via the netatalk module from the local network (enforced via iptables). I also plan on installing port-knocking software (even though that is security via obscurity, the added obscurity can only help, right?)

Thanks again.