topic Re: Query about PAM in Operating System - Linux

Query about PAM

Robert Walker_8 — Fri, 22 Jul 2005 00:04:32 GMT

As mentioned in a thread before - I am setting up our standard Redhat environment - using V4U1.

We use Tru64 and are migrating to Linux RHEL. Under T64 only users in the system group can su to root, while others can su to other accounts as long as they know the password.

We would like to allow the same in RHEL however the PAM solution once enabled ie pam_wheel.so use_id results in no one being able to su except for users being the member of the wheel group. This defeats the purpose of allowing staff to be normal users who have the ability to su to oracle to act as dbas.

We wish to have the control over su to root but not the whole distance. I was browsing somewhere that mentioned that this was a bug in PAM or is it intended? and can the method that we want (ie Only locking root out to wheel group members but allowing su to other accounts) be implemented in a simpler way (ie not using pam_listfiles.so as this will create an admin headache).

Any help would be good?

Robert.

Re: Query about PAM

Stuart Browne — Fri, 22 Jul 2005 00:20:31 GMT

Hrm.. in '/etc/pam.d/su', you should have a line similar to:

auth required pam_wheel.so group=system use_uid

as the 2nd or 3rd line.

Re: Query about PAM

Robert Walker_8 — Fri, 22 Jul 2005 00:32:11 GMT

Gday SEP (if I may?),

By placing group=system just means that members of system can su. It still doesnt fix the fact that unless your a member of system you cannot su - full stop end of story!

If I create an account called test and it has a password fred. Then if I am not a member of the system group to su to root I cannot su - test (password: fred) it returns su: incorrect password

I read an approach using listfiles and setting up individual groups and using listfiles and group membership to allow su, but thats a lot of mucking about and when another group/user comes along then you have to set that one up as well.

Any ideas?

Re: Query about PAM

Ermin Borovac — Fri, 22 Jul 2005 00:33:20 GMT

With PAM versions prior to 0.78 pam_wheel didn't allow su to user other than root. Version 0.78 make this enforcement optional with root_only option.

See

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161579

Re: Query about PAM

Robert Walker_8 — Fri, 22 Jul 2005 00:33:44 GMT

Try again, Sorry Stuart - thought the email was from SEP am new to all this. Oh for the good old days of VMS and ringing up DEC!

Re: Query about PAM

Robert Walker_8 — Fri, 22 Jul 2005 00:58:37 GMT

Thanks Ermin,

Looks like I have to wait until the fix in 0.77 (regress from 0.78) becomes available?

Robert.

Re: Query about PAM

Stuart Browne — Fri, 22 Jul 2005 01:06:17 GMT

Or you could cheat..

Grab the FC4 pam-0.79 SRC RPM's, and compile then for RHEL4 using 'rpmbuild --rebuild ...'.

ftp://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/SRPMS/pam-0.79-9.src.rpm

.. and associated others (from ftp://download.fedora.redhat.com/pub/fedora/linux/core/4/SRPMS/pam-*-0.79-8.src.rpm ) if required.

I love a good cheat :P