how to prohibit user 's operation

Ian jonhson jonhson.ian at gmail.com
Tue Sep 4 09:40:05 UTC 2007


Hi,

I login a account, for example my_name_1, now I want to change to
other account, named my_name_2. For example,

$ whoami
tom           <--- legal user
$ su john   <--  illegal operation, should be refused.

In this case, how to refuse the request by PAM ?

The user going through this above case can be other persons, PAM
should be able to determine whether the operation is legal. However,
it is not easy to accomplish the operation control.

The user may be a legal user, however his operation to switch account
have to be prohibited. I used the pam_sm_authenticate to authenticate
the user is legal. But when I refuse his operation (su, in above
example) by pam_sm_acct_mgt, it can not get what I want.

In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one.
And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su
operation is still in function and switch to john.

What should I do?

Thank you very much

Ian




More information about the Pam-list mailing list