Restricting su to certain users

roadin · 03-14-2005, 11:33 AM

I am running SuSE 9.2 based server with PAM activated. All my logins (other than the console) are via ssh.

I have got things set up so that root can only login on the console, but once someone is logged in I want to be able to restrict their use of the su command.

At present anyone can try to su (to root) and have a "crack" at guessing the password.

How can I ensure that only users I want get a password prompt and all others are told they cannot su to root?

Valhalla · 03-14-2005, 11:38 AM

I'm not sure about the groups on SuSe, but on Gentoo, there is a "wheel" group that users hvae to be part of in order to use su. I suppose you could either look into that, or, make your own equivalent, and make the su command owned by ur wheel group.

acid_kewpie · 03-14-2005, 11:41 AM

there are a number of ways to control access. su itself can use the /etc/suauth file, which contains an arbitrary list of users and rights:

Code:

       # sample /etc/suauth file
       #
       # A couple of privileged usernames may
       # su to root with their own password.
       #
       root:chris,birddog:OWNPASS
       #
       # Anyone else may not su to root unless in
       # group wheel. This is how BSD does things.
       #
       root:ALL EXCEPT GROUP wheel:DENY
       #
       # Perhaps terry and birddog are accounts
       # owned by the same person.
       # Access can be arranged between them
       # with no password.
       #
       terry:birddog:NOPASS
       birddog:terry:NOPASS
       #

this is, as i said, an arbitrary listm, and explicitly defined. what you should possibly look at first is some forms of implicit access. in /etc/pam.s/su you have the pam level access to su, and in there you should have a line like:

Code:

auth       required     /lib/security/pam_wheel.so use_uid

this states that in order to even begin using su, the user must be a member of the "wheel" group. so you don't manually provide them su access, you simply add them to an existing group, and things fall into place. I only ended up researching this in general as the password-less suing for wheel users stopped working, and so i ended up ignoring pam and using the NOPASS option in suauth, which feels a lot more of a cheap hack that following things through in pam.

roadin · 03-15-2005, 08:11 AM

Thanks for the posts - I was aware of wheel, but was not aware that PAM supported it. I how have

auth required pam_wheel.so

in my su script.

However I did not add "use_uid" at the end of the pam_wheel.so line, as the docs say this is insecure - someone could su to a wheel group member then su to root if they had both passwords.

It does not quite do what I wanted, in that it still permits users to have a stab at the password, but it does seem to always return incorrect password if the user is not in group wheel which is near enough (as a user would not be able to tell if they had the root pasword or not).

One small trap I fell into by the way when trying this out that others may wish to be aware of, the group file is only looked at during login, if you add a user to wheel on the fly they will still not be able to su until they log out and in again.

Thanks to everyone for their help.

roadin · 03-15-2005, 12:17 PM

[I have deleted the original text as it was no longer relevent]