View previous topic :: View next topic |
Author |
Message |
nadampel n00b
Joined: 14 Mar 2018 Posts: 1
|
Posted: Wed Mar 21, 2018 10:16 am Post subject: Access to su without being in the wheel group (the PAM way) |
|
|
If you're like me, then you're a little nervous about granting your non-root user access to the wheel group just so you can use su when you need to. Users in the wheel group are a little more powerful than the standard user, and I like to keep my non-root user as powerless as possible (it's a power trip )
There are a couple of ways to do this. In particular, you can do this with sudo and the /etc/sudoers file, but I am not adept in the ways of sudo (perhaps someone can post a reply instructing how to do this with sudo?), and I prefer the simpler solution of using PAM (Pluggable Authentication Modules) directly.
First, make sure that you have PAM installed.
Code:
emerge sys-libs/pam
Now, edit the /etc/pam.d/su file. This file contains configuration information about which PAM modules to load to enforce security with respect to the su command. In this file, look for the line that looks like this:
Code:
auth required /lib/security/pam_wheel.so use_uid
This line loads the pam_wheel.so module, which tells PAM that in order to use su, it is required that the requesting user be a part of the wheel group. We can change this default behavior by telling PAM that we want it to check for a different group. Simply append group=<nameOfGroup> to the end of that line to make su recognize a group other than wheel. For example:
Code:
auth required /lib/security/pam_wheel.so use_uid group=sugrp
In this case, PAM will require that any user requesting to use the su command must be a member of the sugrp group.
All that remains is adding to the appropriate group all of the users that you want to use su.
NOTE: This method affects all use of the su command, even to users other than the root. That is, if a particular user in not a member of the appropriate group (wheel or otherwise), then that user cannot use su at all, even to su to another non-root user. Power trip, baby! |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3522
|
Posted: Wed Mar 21, 2018 11:38 am Post subject: |
|
|
Doesn't this just confer the privileges of "wheel" to the new group you've chosen? Isn't this just wheel, by another name? _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22806
|
Posted: Thu Mar 22, 2018 1:51 am Post subject: |
|
|
Mostly, yes. It does separate wheel's ability to su from all the other privileges that the wheel group grants, so you can give someone those privileges and not su or vice versa. On my system, those privileges amount to the ability to run /usr/sbin/cron. That's the only filesystem-related permission where wheel is used. So in practice, yes, it's almost equivalent to merely renaming wheel. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Sun Apr 08, 2018 6:20 pm Post subject: |
|
|
Hu wrote: | Mostly, yes. It does separate wheel's ability to su from all the other privileges that the wheel group grants, so you can give someone those privileges and not su or vice versa. On my system, those privileges amount to the ability to run /usr/sbin/cron. That's the only filesystem-related permission where wheel is used. So in practice, yes, it's almost equivalent to merely renaming wheel. | The underlined emphasis is dangerous there, as sysadmins can and will set up their machines to use the wheel group on what a programmer might think is an "ad-hoc" basis, but is definitely intended usage.
Further, that's only on your machine, running a subset of available and future software (the set we must handle, or at least allow for.)
@nadampel: it seems like you need: visudo wrt the first part of your post.
Secondly, it's good to see someone sharing PAM configuration. Keep it up.
Not sure I share your megalomania ;) but I highly recommend you /join #bash on IRC: chat.freenode.org or .net for more sysadmin knowhow. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|