how to prohibit user 's operation
Ian jonhson
jonhson.ian at gmail.com
Tue Sep 4 13:32:37 UTC 2007
> > Normally the 'auth' entry in /etc/pam.d/su would be something that makes you
> > enter the password for the new user unless you are root or a member of a
> > trusted group. Isn't having to know the password enough to control the
> > operation?
>
> Under normal circumstances I would agree that simply knowing the password
> would be enough control. I have a situation where I have an application
> that can only do traditional unix passwd/shadow authentication which
> requires knowledge of the service account password. I do not however want
> to allow someone who knows the password (did I mention that I believe the
> application stores the password in clear text?) to be able to get a shell
> as the application user without using a logged shell. As a result, I use
> Enterprise Audit Shell controlled with sudo access to allow logged shell
> access. I use DenyGroup in sshd_config as well as a pam_listfile in
> /etc/pam.d/su to prevent any unapproved type of shell access as this user.
>
I meet similar case, but I have make the pam_sm_authenticate to verify
whether the user is legal, which have different function with that
decide who can call su. Therefore, I have to do this by other hooks,
such pam_sm_acct_mgt, pam_sm_authtok, etc.
Why I can not return simply PAM_AUTH_ERR in pam_sm_authenticate hook
to prevent the user's su operation? I must accomplish my aim by
authentication hook, doesn't it?
More information about the Pam-list
mailing list