Restricting su to certain users
I am running SuSE 9.2 based server with PAM activated. All my logins (other than the console) are via ssh.
I have got things set up so that root can only login on the console, but once someone is logged in I want to be able to restrict their use of the su command. At present anyone can try to su (to root) and have a "crack" at guessing the password. How can I ensure that only users I want get a password prompt and all others are told they cannot su to root? |
I'm not sure about the groups on SuSe, but on Gentoo, there is a "wheel" group that users hvae to be part of in order to use su. I suppose you could either look into that, or, make your own equivalent, and make the su command owned by ur wheel group.
|
there are a number of ways to control access. su itself can use the /etc/suauth file, which contains an arbitrary list of users and rights:
Code:
# sample /etc/suauth file Code:
auth required /lib/security/pam_wheel.so use_uid |
Thanks for the posts - I was aware of wheel, but was not aware that PAM supported it. I how have
auth required pam_wheel.so in my su script. However I did not add "use_uid" at the end of the pam_wheel.so line, as the docs say this is insecure - someone could su to a wheel group member then su to root if they had both passwords. It does not quite do what I wanted, in that it still permits users to have a stab at the password, but it does seem to always return incorrect password if the user is not in group wheel which is near enough (as a user would not be able to tell if they had the root pasword or not). One small trap I fell into by the way when trying this out that others may wish to be aware of, the group file is only looked at during login, if you add a user to wheel on the fly they will still not be able to su until they log out and in again. Thanks to everyone for their help. |
[I have deleted the original text as it was no longer relevent] |
All times are GMT -5. The time now is 10:10 PM. |