About Me
- Name: SWeidner
- Location: Elk Point, South Dakota, United States
My Blogger Code
B5 d+ t k s u- f- i- o- x-- e l- c (decode it!)
My Geek Code
GAT/IT d-(+) s+(): a C+++$ ULC+++>$ P++>++++ L++$>++++ !E W++>$ N+ !o !K w+()@ !O !M- !V PS-(--)@>--- PE+ Y-- PGP>++ t+ !5(-) X+ !R- tv-(+)? b+ DI++++ D++>$ G e+>++ h----(-) r+++ y++++
Links
Blogmap
AdSense
Archives
Steve's random ramblings and technical notes
Wednesday, October 13, 2004
Setting "su" restrictions for specific users
I got this from http://www.puschitz.com/Security.shtml and applied it on a local machine to prevent "certain users" from calling su.
Setting Up "su" Restrictions for "root"
NOTE: The pam_wheel module has changed!
The documentation about the pam_wheel module included in RH 7.2, 7.3, and 2.1AS is wrong. The pam_wheel module is not being used any more to restrict su to the root account only. As soon as you enable the pam_wheel module, only people in the wheel group will be able to su to root and to non-root accounts as well. That's why I'm not using it for restricting root access, since it automatically restricts non-root access as well.
The following restrictions should be setup:
- Nobody should be allowed to su to any user account.
- Allow root authentication to members of the "root_members" group only. Only people in the "root_members" group should be able to su to the "root" account.
- If someone is not member of this group, he should not be able to su to root even if the person knows the password.
Create the "root_members" group:
groupadd root_members
Add user accounts to the "root_members" group. E.g.:
usermod -G root_members $user_account
The /etc/pam.d/su file should read like:
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_stack.so service=system-auth
auth sufficient /lib/security/pam_stack.so service=root-members
auth required /lib/security/pam_deny.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
The /etc/pam.d/root-members file, which is referenced in /etc/pam.d/su, should read like:
auth required /lib/security/pam_wheel.so use_uid group=root_members
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/root
The /etc/membergroups/root file, which is referenced in /etc/pam.d/root-members, should have only one entry. Note that you first have to create the directory /etc/membergroups. You can also put the file into another directory. You just need to change the path in /etc/pam.d/root-members.
root
Now you can test and check if only people in the "root_members" group can su to root.
Setting Up "login" Restrictions
This configuration file dictates the authentication scheme for the login application.
PAM module: pam_access.so
This module provides logdaemon-style login access control, based on login names and on host names, IP addresses, etc. This can be configured in /etc/security/access.conf, which will be covered later.
| /lib/security/pam_access.so |
|
/etc/pam.d/login example
Using the example above, here is how the /etc/pam.d/login file might look like:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_access.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
