how to prohibit user 's operation

Barry Brimer lists at brimer.org
Tue Sep 4 13:14:26 UTC 2007 


On Tue, 4 Sep 2007, Les Mikesell wrote:

> Ian jonhson wrote:
>> Hi,
>> 
>> I login a account, for example my_name_1, now I want to change to
>> other account, named my_name_2. For example,
>> 
>> $ whoami
>> tom           <--- legal user
>> $ su john   <--  illegal operation, should be refused.
>> 
>> In this case, how to refuse the request by PAM ?
>> 
>> The user going through this above case can be other persons, PAM
>> should be able to determine whether the operation is legal. However,
>> it is not easy to accomplish the operation control.
>> 
>> The user may be a legal user, however his operation to switch account
>> have to be prohibited. I used the pam_sm_authenticate to authenticate
>> the user is legal. But when I refuse his operation (su, in above
>> example) by pam_sm_acct_mgt, it can not get what I want.
>> 
>> In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one.
>> And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su
>> operation is still in function and switch to john.
>> 
>> What should I do?
>
> Normally the 'auth' entry in /etc/pam.d/su would be something that makes you 
> enter the password for the new user unless you are root or a member of a 
> trusted group.  Isn't having to know the password enough to control the 
> operation?

Under normal circumstances I would agree that simply knowing the password 
would be enough control. I have a situation where I have an application 
that can only do traditional unix passwd/shadow authentication which 
requires knowledge of the service account password.  I do not however want 
to allow someone who knows the password (did I mention that I believe the 
application stores the password in clear text?) to be able to get a shell 
as the application user without using a logged shell.  As a result, I use 
Enterprise Audit Shell controlled with sudo access to allow logged shell 
access.  I use DenyGroup in sshd_config as well as a pam_listfile in 
/etc/pam.d/su to prevent any unapproved type of shell access as this user.

Barry

More information about the Pam-list mailing list