PAM and su behavior

Russell N. Price rprice at honlab.nmfs.hawaii.edu
Wed Mar 5 01:57:57 UTC 2008 

Hello,

I'm experiencing unexpected PAM behavior under RHEL4.6 
(pam-0.77-66.23). When I su to an account as a non-root user, 
the login failure counter is always updated for the account 
being su'd to, even when the su is successful.

/etc/pam.d/su:

#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in 
the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust 
use_uid
# Uncomment the following line to require a user to be in the 
"wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so 
use_uid
auth       required     /lib/security/$ISA/pam_stack.so 
service=system-auth
account    sufficient   /lib/security/$ISA/pam_succeed_if.so 
uid=0 use_uid quiet
account    required     /lib/security/$ISA/pam_stack.so 
service=system-auth
password   required     /lib/security/$ISA/pam_stack.so 
service=system-auth
# pam_selinux.so close must be first session rule
session    required     /lib/security/$ISA/pam_selinux.so 
close
session    required     /lib/security/$ISA/pam_stack.so 
service=system-auth
# pam_selinux.so open and pam_xauth must be last two session 
rules
session    required     /lib/security/$ISA/pam_selinux.so open
session    optional     /lib/security/$ISA/pam_xauth.so

/etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is 
run.
auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so 
onerr=fail no_magic_root
auth        sufficient    /lib/security/$ISA/pam_unix.so 
likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_tally.so 
per_user deny=3 no_magic_root reset
account     sufficient    /lib/security/$ISA/pam_succeed_if.so 
uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so 
retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    /lib/security/$ISA/pam_unix.so 
nullok use_authtok md5 shadow remember=10
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Is there something obvious wrong here?

Thanks in advance.

More information about the Pam-list mailing list