Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE
User Name
SUSE / openSUSE This Forum is for the discussion of Suse Linux.


  Search this Thread
Old 03-14-2005, 12:33 PM   #1
LQ Newbie
Registered: Mar 2005
Posts: 3

Rep: Reputation: 0
Restricting su to certain users

I am running SuSE 9.2 based server with PAM activated. All my logins (other than the console) are via ssh.

I have got things set up so that root can only login on the console, but once someone is logged in I want to be able to restrict their use of the su command.

At present anyone can try to su (to root) and have a "crack" at guessing the password.

How can I ensure that only users I want get a password prompt and all others are told they cannot su to root?
Old 03-14-2005, 12:38 PM   #2
Registered: Dec 2004
Location: Atlanta
Distribution: Gentoo 2005.1, Ubuntu 5.10
Posts: 267

Rep: Reputation: 30
I'm not sure about the groups on SuSe, but on Gentoo, there is a "wheel" group that users hvae to be part of in order to use su. I suppose you could either look into that, or, make your own equivalent, and make the su command owned by ur wheel group.
Old 03-14-2005, 12:41 PM   #3
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
there are a number of ways to control access. su itself can use the /etc/suauth file, which contains an arbitrary list of users and rights:
       # sample /etc/suauth file
       # A couple of privileged usernames may
       # su to root with their own password.
       # Anyone else may not su to root unless in
       # group wheel. This is how BSD does things.
       root:ALL EXCEPT GROUP wheel:DENY
       # Perhaps terry and birddog are accounts
       # owned by the same person.
       # Access can be arranged between them
       # with no password.
this is, as i said, an arbitrary listm, and explicitly defined. what you should possibly look at first is some forms of implicit access. in /etc/pam.s/su you have the pam level access to su, and in there you should have a line like:
auth       required     /lib/security/ use_uid
this states that in order to even begin using su, the user must be a member of the "wheel" group. so you don't manually provide them su access, you simply add them to an existing group, and things fall into place. I only ended up researching this in general as the password-less suing for wheel users stopped working, and so i ended up ignoring pam and using the NOPASS option in suauth, which feels a lot more of a cheap hack that following things through in pam.
Old 03-15-2005, 09:11 AM   #4
LQ Newbie
Registered: Mar 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the posts - I was aware of wheel, but was not aware that PAM supported it. I how have

auth required

in my su script.

However I did not add "use_uid" at the end of the line, as the docs say this is insecure - someone could su to a wheel group member then su to root if they had both passwords.

It does not quite do what I wanted, in that it still permits users to have a stab at the password, but it does seem to always return incorrect password if the user is not in group wheel which is near enough (as a user would not be able to tell if they had the root pasword or not).

One small trap I fell into by the way when trying this out that others may wish to be aware of, the group file is only looked at during login, if you add a user to wheel on the fly they will still not be able to su until they log out and in again.

Thanks to everyone for their help.

Last edited by roadin; 03-16-2005 at 08:29 AM.
Old 03-15-2005, 01:17 PM   #5
LQ Newbie
Registered: Mar 2005
Posts: 3

Original Poster
Rep: Reputation: 0

[I have deleted the original text as it was no longer relevent]

Last edited by roadin; 03-16-2005 at 08:56 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting users to their home folder supervillan Linux - Newbie 2 04-08-2009 12:47 PM
Restricting users? sdouble Linux - Newbie 5 07-05-2006 07:48 PM
Restricting FTP Users mtellin Linux - Networking 1 02-28-2002 09:54 PM
Wu-FTP / Restricting users to one directory DJFauß Linux - Networking 0 12-22-2001 12:42 PM
restricting users to one folder flip-x Linux - Security 0 02-18-2001 06:37 PM > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE

All times are GMT -5. The time now is 12:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration