LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   SUSE / openSUSE (https://www.linuxquestions.org/questions/suse-opensuse-60/)
-   -   Restricting su to certain users (https://www.linuxquestions.org/questions/suse-opensuse-60/restricting-su-to-certain-users-301489/)

roadin 03-14-2005 11:33 AM
Restricting su to certain users
 
I am running SuSE 9.2 based server with PAM activated. All my logins (other than the console) are via ssh.

I have got things set up so that root can only login on the console, but once someone is logged in I want to be able to restrict their use of the su command.

At present anyone can try to su (to root) and have a "crack" at guessing the password.

How can I ensure that only users I want get a password prompt and all others are told they cannot su to root?

Valhalla 03-14-2005 11:38 AM
I'm not sure about the groups on SuSe, but on Gentoo, there is a "wheel" group that users hvae to be part of in order to use su. I suppose you could either look into that, or, make your own equivalent, and make the su command owned by ur wheel group.

acid_kewpie 03-14-2005 11:41 AM
there are a number of ways to control access. su itself can use the /etc/suauth file, which contains an arbitrary list of users and rights:
Code:
      # sample /etc/suauth file
      #
      # A couple of privileged usernames may
      # su to root with their own password.
      #
      root:chris,birddog:OWNPASS
      #
      # Anyone else may not su to root unless in
      # group wheel. This is how BSD does things.
      #
      root:ALL EXCEPT GROUP wheel:DENY
      #
      # Perhaps terry and birddog are accounts
      # owned by the same person.
      # Access can be arranged between them
      # with no password.
      #
      terry:birddog:NOPASS
      birddog:terry:NOPASS
      #
this is, as i said, an arbitrary listm, and explicitly defined. what you should possibly look at first is some forms of implicit access. in /etc/pam.s/su you have the pam level access to su, and in there you should have a line like:
Code:
auth      required    /lib/security/pam_wheel.so use_uid
this states that in order to even begin using su, the user must be a member of the "wheel" group. so you don't manually provide them su access, you simply add them to an existing group, and things fall into place. I only ended up researching this in general as the password-less suing for wheel users stopped working, and so i ended up ignoring pam and using the NOPASS option in suauth, which feels a lot more of a cheap hack that following things through in pam.

roadin 03-15-2005 08:11 AM
Thanks for the posts - I was aware of wheel, but was not aware that PAM supported it. I how have

auth required pam_wheel.so

in my su script.

However I did not add "use_uid" at the end of the pam_wheel.so line, as the docs say this is insecure - someone could su to a wheel group member then su to root if they had both passwords.

It does not quite do what I wanted, in that it still permits users to have a stab at the password, but it does seem to always return incorrect password if the user is not in group wheel which is near enough (as a user would not be able to tell if they had the root pasword or not).

One small trap I fell into by the way when trying this out that others may wish to be aware of, the group file is only looked at during login, if you add a user to wheel on the fly they will still not be able to su until they log out and in again.

Thanks to everyone for their help.

roadin 03-15-2005 12:17 PM


[I have deleted the original text as it was no longer relevent]


All times are GMT -5. The time now is 10:10 PM.