how to prohibit user 's operation
Barry Brimer
lists at brimer.org
Tue Sep 4 13:14:26 UTC 2007
On Tue, 4 Sep 2007, Les Mikesell wrote:
> Ian jonhson wrote:
>> Hi,
>>
>> I login a account, for example my_name_1, now I want to change to
>> other account, named my_name_2. For example,
>>
>> $ whoami
>> tom <--- legal user
>> $ su john <-- illegal operation, should be refused.
>>
>> In this case, how to refuse the request by PAM ?
>>
>> The user going through this above case can be other persons, PAM
>> should be able to determine whether the operation is legal. However,
>> it is not easy to accomplish the operation control.
>>
>> The user may be a legal user, however his operation to switch account
>> have to be prohibited. I used the pam_sm_authenticate to authenticate
>> the user is legal. But when I refuse his operation (su, in above
>> example) by pam_sm_acct_mgt, it can not get what I want.
>>
>> In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one.
>> And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su
>> operation is still in function and switch to john.
>>
>> What should I do?
>
> Normally the 'auth' entry in /etc/pam.d/su would be something that makes you
> enter the password for the new user unless you are root or a member of a
> trusted group. Isn't having to know the password enough to control the
> operation?
Under normal circumstances I would agree that simply knowing the password
would be enough control. I have a situation where I have an application
that can only do traditional unix passwd/shadow authentication which
requires knowledge of the service account password. I do not however want
to allow someone who knows the password (did I mention that I believe the
application stores the password in clear text?) to be able to get a shell
as the application user without using a logged shell. As a result, I use
Enterprise Audit Shell controlled with sudo access to allow logged shell
access. I use DenyGroup in sshd_config as well as a pam_listfile in
/etc/pam.d/su to prevent any unapproved type of shell access as this user.
Barry
More information about the Pam-list
mailing list