Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

Query about PAM

SOLVED
Go to solution
Robert Walker_8
Valued Contributor

Query about PAM

As mentioned in a thread before - I am setting up our standard Redhat environment - using V4U1.

We use Tru64 and are migrating to Linux RHEL. Under T64 only users in the system group can su to root, while others can su to other accounts as long as they know the password.

We would like to allow the same in RHEL however the PAM solution once enabled ie pam_wheel.so use_id results in no one being able to su except for users being the member of the wheel group. This defeats the purpose of allowing staff to be normal users who have the ability to su to oracle to act as dbas.

We wish to have the control over su to root but not the whole distance. I was browsing somewhere that mentioned that this was a bug in PAM or is it intended? and can the method that we want (ie Only locking root out to wheel group members but allowing su to other accounts) be implemented in a simpler way (ie not using pam_listfiles.so as this will create an admin headache).

Any help would be good?

Robert.
6 REPLIES
Stuart Browne
Honored Contributor

Re: Query about PAM

Hrm.. in '/etc/pam.d/su', you should have a line similar to:

auth required pam_wheel.so group=system use_uid

as the 2nd or 3rd line.
One long-haired git at your service...
Robert Walker_8
Valued Contributor

Re: Query about PAM

Gday SEP (if I may?),

By placing group=system just means that members of system can su. It still doesnt fix the fact that unless your a member of system you cannot su - full stop end of story!

If I create an account called test and it has a password fred. Then if I am not a member of the system group to su to root I cannot su - test (password: fred) it returns su: incorrect password

I read an approach using listfiles and setting up individual groups and using listfiles and group membership to allow su, but thats a lot of mucking about and when another group/user comes along then you have to set that one up as well.

Any ideas?
Ermin Borovac
Honored Contributor
Solution

Re: Query about PAM

With PAM versions prior to 0.78 pam_wheel didn't allow su to user other than root. Version 0.78 make this enforcement optional with root_only option.

See

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161579
Robert Walker_8
Valued Contributor

Re: Query about PAM

Try again, Sorry Stuart - thought the email was from SEP am new to all this. Oh for the good old days of VMS and ringing up DEC!
Robert Walker_8
Valued Contributor

Re: Query about PAM

Thanks Ermin,


Looks like I have to wait until the fix in 0.77 (regress from 0.78) becomes available?

Robert.
Stuart Browne
Honored Contributor

Re: Query about PAM

Or you could cheat..

Grab the FC4 pam-0.79 SRC RPM's, and compile then for RHEL4 using 'rpmbuild --rebuild ...'.

ftp://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/SRPMS/pam-0.79-9.src.rpm

.. and associated others (from ftp://download.fedora.redhat.com/pub/fedora/linux/core/4/SRPMS/pam-*-0.79-8.src.rpm ) if required.

I love a good cheat :P
One long-haired git at your service...