PAM module to limit su -

[lnxnoob]

Hi All,

This is Red Hat Ent linux 5.5

I am trying to disable a user from performing

% su - root

I have managed to prevent sudo su access through the /etc/sudoers files.

For this purpose I am trying to use PAM by modifying file /etc/pam.d/su and adding the following line to it.

auth required /lib/security/pam_listfile.so item = user onerror=fail sense=deny file=/etc/security/su

Also created the /etc/security/su file with "root" as the content .For some reason I am not able to get this working. I am missing anything here? Any pointers will really help.

Thanks

[Rubberman]

The command "su -" or "su - root" should only work if the user has the password for root. If it is not asking for the root or other user ( if the command was "su - otheruser" ) password, then there is some other problem. If it does ask for the password, and they don't input it correctly, then they should be rejected from switching user accounts. If they do have and input the correct password, then there is nothing you can do, as they can easily login as root.

[lnxnoob]

The command "su -" or "su - root" should only work if the user has the password for root. If it is not asking for the root or other user ( if the command was "su - otheruser" ) password, then there is some other problem. If it does ask for the password, and they don't input it correctly, then they should be rejected from switching user accounts. If they do have and input the correct password, then there is nothing you can do, as they can easily login as root.

Thank you for your reply.So is there any other way apart from using wheel group or removing execute permissions on the /bin/su that I can achieve this?

I got the above solution from the below link:
www[dot]informit[dot]com/articles/article.aspx?p=165226&seqNum=10]InformIT: Been Cracked? Just Put PAM On It! > Access Control with pam_listfile

Thanks

[nplusplus]

From my reading of the link you posted, your listfile needs to contain the username of the user trying to run "su", not the username "root." Of course, this assumes "su" is PAM-aware.

N

[lnxnoob]

From my reading of the link you posted, your listfile needs to contain the username of the user trying to run "su", not the username "root." Of course, this assumes "su" is PAM-aware.

N

Thanks folks..

Well n++, I am not really sure if what your saying is true. I read the link twice now...it says the list file will contain users who can become arguments to su meaning any user can execute su but only to become users on the list.states an example even !!


I way it works for me now is if I add the entry to the /etc/pam.d/su, it blocks "all" users from su it does not really care for the /etc/security/su file.is this how it is intended?