https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858776#M25097 Hi,<BR /><BR />You can actually configure using webmin or Yast tool.<BR /> Thu, 07 Sep 2006 23:15:57 GMT Ryan Goh 2006-09-07T23:15:57Z https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858772#M25093 On our SuSE systems that have pam-0.80-6 and no NIS, I'm able to include the following line in /etc/pam.d/su and it restricts su to root to members of the wheel group as expected:<BR /><BR />auth requisite pam_wheel.so group=wheel<BR /><BR />However, on some older installs with pam-0.77-124 or pam-0.77-221 using NIS, this same line doesn't quite work. It seems to work as expected for local users, but, if the user is defined in NIS, it allows them to su to root regardless of the wheel restriction.<BR /><BR />The complete /etc/pam.d/su is:<BR /><BR />#%PAM-1.0<BR />auth sufficient pam_rootok.so<BR />auth requisite pam_wheel.so group=wheel<BR />auth required pam_unix2.so nullok #set_secrpc<BR />account required pam_unix2.so<BR />password required pam_pwcheck.so nullok<BR />password required pam_unix2.so nullok use_first_pass use_authtok<BR />#session required pam_homecheck.so<BR />session required pam_unix2.so debug # none or trace<BR /><BR />These are significantly different from the pam-0.80-6 entries:<BR /><BR />#%PAM-1.0<BR />auth sufficient pam_rootok.so<BR />auth requisite pam_wheel.so group=wheel<BR />auth include common-auth<BR />account include common-account<BR />password include common-password<BR />session include common-session<BR />session optional pam_xauth.so<BR /><BR />Anyone who knows PAM well want to take a stab at explaining this? A bug? A configuration problem? Thu, 07 Sep 2006 13:50:41 GMT https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858772#M25093 Jeff_Traigle 2006-09-07T13:50:41Z https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858773#M25094 So, any of the versions works with NIS? Can you add the debug option to the pam_wheel module and post the syslog messages? Thu, 07 Sep 2006 14:23:15 GMT https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858773#M25094 Ivan Ferreira 2006-09-07T14:23:15Z https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858774#M25095 Ugh! Now it appears to be working properly even with the NIS users. Maybe it just needs to think about it for a while. :) Thu, 07 Sep 2006 14:37:21 GMT https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858774#M25095 Jeff_Traigle 2006-09-07T14:37:21Z https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858775#M25096 Shalom,<BR /><BR />I believe it is a bug in the libwrap.so with tcp wrappers.<BR /><BR />I don't know a lot about tcp_wrappers but just went through the basics during RHCE training.<BR /><BR />SEP Thu, 07 Sep 2006 14:38:53 GMT https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858775#M25096 Steven E. Protter 2006-09-07T14:38:53Z https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858776#M25097 Hi,<BR /><BR />You can actually configure using webmin or Yast tool.<BR /> Thu, 07 Sep 2006 23:15:57 GMT https://community.hpe.com/t5/operating-system-linux/pam-wheel-so-on-suse/m-p/3858776#M25097 Ryan Goh 2006-09-07T23:15:57Z