how to prohibit user 's operation
Les Mikesell
les at futuresource.com
Tue Sep 4 13:01:16 UTC 2007
Ian jonhson wrote:
> Hi,
>
> I login a account, for example my_name_1, now I want to change to
> other account, named my_name_2. For example,
>
> $ whoami
> tom <--- legal user
> $ su john <-- illegal operation, should be refused.
>
> In this case, how to refuse the request by PAM ?
>
> The user going through this above case can be other persons, PAM
> should be able to determine whether the operation is legal. However,
> it is not easy to accomplish the operation control.
>
> The user may be a legal user, however his operation to switch account
> have to be prohibited. I used the pam_sm_authenticate to authenticate
> the user is legal. But when I refuse his operation (su, in above
> example) by pam_sm_acct_mgt, it can not get what I want.
>
> In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one.
> And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su
> operation is still in function and switch to john.
>
> What should I do?
Normally the 'auth' entry in /etc/pam.d/su would be something that makes
you enter the password for the new user unless you are root or a member
of a trusted group. Isn't having to know the password enough to control
the operation?
--
Les Mikesell
lesmikesell at gmail.com
More information about the Pam-list
mailing list