[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: deny su to a specific user



owkay,

i added
auth       sufficient   /lib/security/pam_stack.so service=su-limiting
to /etc/pam.d/su.

/etc/pam.d/su-limiting contains
auth       sufficient   /lib/security/pam_stack.so
service=members-secoff
auth       required     /lib/security/pam_deny.so

/etc/pam.d/members-secoff contains
auth       required     /lib/security/pam_wheel.so use_uid group=nonex
auth       required     /lib/security/pam_listfile.so item=user
sense=allow onerr=fail file=/etc/membergroups/secoff

and /etc/membergroups/secoff contains
secoff

the group nonex _does_ exist :-) but not a single user is a member of
said group.

still, any user part of the wheel group can su to secoff.

is this a prob where the wheel thingie overrides above settings ?

or did i miss something?

thnx

cnf

On Thu, 2002-12-19 at 16:13, Werner Puschitz wrote:
> 
> You might want to check out 
> http://www.puschitz.com/Security.shtml
> - Setting Up "su" Restrictions for "root"
> - Setting Up "su" Restrictions for Other Accounts 
> 
> I welcome any feedback.
> 
> Werner
> 
> 
> On 19 Dec 2002, cnf wrote:
> 
> > nod, i figured it would be something like that, but i cant find the
> > parameter :-/
> > 
> > mind posting it when you can check it ?
> > 
> > thnx
> > 
> > On Thu, 2002-12-19 at 03:18, Nelson Sampaio Araujo Junior wrote:
> > > You can specify this on the "su" pam rules in /etc/pam.d/su. There is a
> > > parameter for "not allowed" groups/users. (sorry for not telling the
> > > parameter, but I'm without my unix access right now to check for you).
> > > 
> > > - Nelson
> > > 
> > > -----Original Message-----
> > > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com] On Behalf
> > > Of cnf
> > > Sent: Wednesday, December 18, 2002 5:49 PM
> > > To: pam-list@redhat.com
> > > 
> > > i have 1 specific user (uid 400 *grin*) that i want to deny ALL login
> > > attempts to.
> > > 
> > > so only direct console login would be allowed.
> > > 
> > > i got it all working, the only thing i cant seem to get done is the su
> > > part.
> > > 
> > > how do i tell pam, that ANY su attempt to the uid 400 is to be forbidden
> > > ?
> > > 
> > > no matter is the su-ing user is in group wheel, or root himself, su to
> > > uid 400 needs to be denied.
> > > 
> > > ideally i would want that user only to be able to log in on ttyS0, but
> > > for now i'll settle on solving the su prob :-)
> > > 
> > > any suggestions ?
> > > 
> > > 
> > > cnf
> > > -- 
> > > Please avoid sending me Word or PowerPoint attachments.
> > > See http://www.fsf.org/philosophy/no-word-attachments.html
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Pam-list mailing list
> > > Pam-list@redhat.com
> > > https://listman.redhat.com/mailman/listinfo/pam-list
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Pam-list mailing list
> > > Pam-list@redhat.com
> > > https://listman.redhat.com/mailman/listinfo/pam-list
> > 
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
-- 
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []