[Freeipa-users] How to set a user group rule to allow su - oracle only?
Arpit Tolani
arpittolani at gmail.com
Tue Jul 17 11:13:50 UTC 2012
Hello
On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones <Steven.Jones at vuw.ac.nz>wrote:
> Hi,
>
> If I login as say user1, I want that user to be able to su - oracle, but
> not to say su - root (or to any other user).
>
> If user2 logins I want them unable to su - X at all and especially not
> root.
>
> If an admin logins in I want them to be able to su - anybody...
>
> In a way before I could do that with the wheel group and pam.
>
> regards
>
> Steven Jones
> rob
>
# cat /etc/pam.d/su
auth sufficient pam_rootok.so
auth [default=1 success=ok ignore=ignore] pam_wheel.so
trust use_uid group=group1
auth [success=2 default=die] pam_listfile.so item=user
sense=allow onerr=fail file=/etc/security/su-group1-access
auth [default=die success=ok ignore=ignore] pam_wheel.so
trust use_uid group=group2
auth requisite pam_listfile.so item=user sense=allow
onerr=fail file=/etc/security/su-group2-access
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
With above configuration.
members of group1 will be able to su only to users in
/etc/security/su-group1-access
members of group2 will be able to su only to users in
/etc/security/su-group2-access
users which are not in group1 & group2 both will not be able to su to anyone
root will be able to su to anyone
Hope that helps, Change it as per your requirement.
Regards
Arpit Tolani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120717/062d17ad/attachment.htm>
More information about the Freeipa-users
mailing list