Find the answer to your Linux question:
Results 1 to 5 of 5
Hi All, This is Red Hat Ent linux 5.5 I am trying to disable a user from performing % su - root I have managed to prevent sudo su access ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2011
    Posts
    5

    PAM module to limit su -


    Hi All,

    This is Red Hat Ent linux 5.5

    I am trying to disable a user from performing

    % su - root

    I have managed to prevent sudo su access through the /etc/sudoers files.

    For this purpose I am trying to use PAM by modifying file /etc/pam.d/su and adding the following line to it.

    auth required /lib/security/pam_listfile.so item = user onerror=fail sense=deny file=/etc/security/su

    Also created the /etc/security/su file with "root" as the content .For some reason I am not able to get this working. I am missing anything here? Any pointers will really help.

    Thanks

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,753
    The command "su -" or "su - root" should only work if the user has the password for root. If it is not asking for the root or other user ( if the command was "su - otheruser" ) password, then there is some other problem. If it does ask for the password, and they don't input it correctly, then they should be rejected from switching user accounts. If they do have and input the correct password, then there is nothing you can do, as they can easily login as root.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Sep 2011
    Posts
    5
    Quote Originally Posted by Rubberman View Post
    The command "su -" or "su - root" should only work if the user has the password for root. If it is not asking for the root or other user ( if the command was "su - otheruser" ) password, then there is some other problem. If it does ask for the password, and they don't input it correctly, then they should be rejected from switching user accounts. If they do have and input the correct password, then there is nothing you can do, as they can easily login as root.

    Thank you for your reply.So is there any other way apart from using wheel group or removing execute permissions on the /bin/su that I can achieve this?

    I got the above solution from the below link:
    www[dot]informit[dot]com/articles/article.aspx?p=165226&seqNum=10]InformIT: Been Cracked? Just Put PAM On It! > Access Control with pam_listfile

    Thanks

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie nplusplus's Avatar
    Join Date
    Apr 2010
    Location
    Charlotte, NC, USA
    Posts
    106
    From my reading of the link you posted, your listfile needs to contain the username of the user trying to run "su", not the username "root." Of course, this assumes "su" is PAM-aware.

    N

  6. #5
    Just Joined!
    Join Date
    Sep 2011
    Posts
    5
    Quote Originally Posted by nplusplus View Post
    From my reading of the link you posted, your listfile needs to contain the username of the user trying to run "su", not the username "root." Of course, this assumes "su" is PAM-aware.

    N
    Thanks folks..

    Well n++, I am not really sure if what your saying is true. I read the link twice now...it says the list file will contain users who can become arguments to su meaning any user can execute su but only to become users on the list.states an example even !!


    I way it works for me now is if I add the entry to the /etc/pam.d/su, it blocks "all" users from su it does not really care for the /etc/security/su file.is this how it is intended?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •