HPE Community
Operating System - Linux
1752594 Members
3062 Online
108788 Solutions
New Discussion юеВ

Re: Query about PAM

 
SOLVED
Go to solution
Robert Walker_8
Valued Contributor

тАО07-21-2005 05:04 PM

тАО07-21-2005 05:04 PM

Query about PAM

As mentioned in a thread before - I am setting up our standard Redhat environment - using V4U1.

We use Tru64 and are migrating to Linux RHEL. Under T64 only users in the system group can su to root, while others can su to other accounts as long as they know the password.

We would like to allow the same in RHEL however the PAM solution once enabled ie pam_wheel.so use_id results in no one being able to su except for users being the member of the wheel group. This defeats the purpose of allowing staff to be normal users who have the ability to su to oracle to act as dbas.

We wish to have the control over su to root but not the whole distance. I was browsing somewhere that mentioned that this was a bug in PAM or is it intended? and can the method that we want (ie Only locking root out to wheel group members but allowing su to other accounts) be implemented in a simpler way (ie not using pam_listfiles.so as this will create an admin headache).

Any help would be good?

Robert.
0 Kudos
Reply
6 REPLIES 6
Stuart Browne
Honored Contributor

тАО07-21-2005 05:20 PM

тАО07-21-2005 05:20 PM

Re: Query about PAM

Hrm.. in '/etc/pam.d/su', you should have a line similar to:

auth required pam_wheel.so group=system use_uid

as the 2nd or 3rd line.
One long-haired git at your service...
0 Kudos
Reply
Robert Walker_8
Valued Contributor

тАО07-21-2005 05:32 PM

тАО07-21-2005 05:32 PM

Re: Query about PAM

Gday SEP (if I may?),

By placing group=system just means that members of system can su. It still doesnt fix the fact that unless your a member of system you cannot su - full stop end of story!

If I create an account called test and it has a password fred. Then if I am not a member of the system group to su to root I cannot su - test (password: fred) it returns su: incorrect password

I read an approach using listfiles and setting up individual groups and using listfiles and group membership to allow su, but thats a lot of mucking about and when another group/user comes along then you have to set that one up as well.

Any ideas?
0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО07-21-2005 05:33 PM

тАО07-21-2005 05:33 PM

Solution

Re: Query about PAM

With PAM versions prior to 0.78 pam_wheel didn't allow su to user other than root. Version 0.78 make this enforcement optional with root_only option.

See

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161579
Reply
Robert Walker_8
Valued Contributor

тАО07-21-2005 05:33 PM

тАО07-21-2005 05:33 PM

Re: Query about PAM

Try again, Sorry Stuart - thought the email was from SEP am new to all this. Oh for the good old days of VMS and ringing up DEC!
0 Kudos
Reply
Robert Walker_8
Valued Contributor

тАО07-21-2005 05:58 PM

тАО07-21-2005 05:58 PM

Re: Query about PAM

Thanks Ermin,


Looks like I have to wait until the fix in 0.77 (regress from 0.78) becomes available?

Robert.
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО07-21-2005 06:06 PM

тАО07-21-2005 06:06 PM

Re: Query about PAM

Or you could cheat..

Grab the FC4 pam-0.79 SRC RPM's, and compile then for RHEL4 using 'rpmbuild --rebuild ...'.

ftp://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/SRPMS/pam-0.79-9.src.rpm

.. and associated others (from ftp://download.fedora.redhat.com/pub/fedora/linux/core/4/SRPMS/pam-*-0.79-8.src.rpm ) if required.

I love a good cheat :P
One long-haired git at your service...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.