Permitting or Restricting a User's `su` Access to Privileged Accounts

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7
  • Red Hat Enterprise Linux (RHEL) 6
  • Red Hat Enterprise Linux (RHEL) 5

Issue

  • How do I configure pam to restrict su to some users only?
  • How can I restrict a group of users to su only some users?

Resolution

Using Group Membership to Control su Behaviour

  • PAM can be configured to allow different groups of users access to specific target UIDs through su
    • The PAM modules required are;
      • pam_succeed_if
      • pam_wheel.so
      • pam_listfile.so
  • PAM must be configured to permit users from a specific group, permission to use su, restricting the target identities allowed

  • With <group_name> and <file_with_allowed_target_UIDs> changed to reflect your deployment, the configuration looks likes this;

    auth           [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup <group_name>
auth           required pam_wheel.so use_uid group=<group_name>
auth           required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/<file_with_allowed_target_UIDs>

Example

  1. Add some users to test with

    [root@ldap ~]# useradd user1
[root@ldap ~]# useradd user2
[root@ldap ~]# useradd user3
[root@ldap ~]# useradd user4

  2. Add some groups to test with

    [root@ldap ~]# groupadd groupa
[root@ldap ~]# groupadd groupb

  3. Assign the users to their respective groups

    [root@ldap ~]# usermod -G groupa user1
[root@ldap ~]# usermod -G groupa user2
[root@ldap ~]# usermod -G groupb user3
[root@ldap ~]# usermod -G groupb user4

  4. Confirm they are correctly assigned by checking the output of getent

    [root@ldap ~]# getent group groupa
groupa:*:16777216:user2,user1
[root@ldap ~]# getent group groupb
groupb:*:16777217:user4,user3

  5. Add the target UIDs that groupa users are allowed to access in /etc/security/su-groupa-access

    [root@ldap ~]# cat /etc/security/su-groupa-access
oracle
root
    • NOTE: /etc/security/su-groupa-access must be a plaintext file that is not world writable.

  6. Add the target UIDs that groupb users are allowed to access in /etc/security/su-groupb-access

    [root@ldap ~]# cat /etc/security/su-groupb-access
root
    • NOTE: /etc/security/su-groupb-access must be a plaintext file that is not world writable.

  7. Configure /etc/pam.d/su

    [root@ldap ~]# cat /etc/pam.d/su
auth           sufficient     pam_rootok.so
auth           [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup groupa
auth           required pam_wheel.so use_uid group=groupa
auth           required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-groupa-access
auth           [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup groupb
auth           required pam_wheel.so use_uid group=groupb
auth           required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-groupb-access
auth           include        system-auth
account        sufficient     pam_succeed_if.so uid = 0 use_uid quiet
account        include        system-auth
password       include        system-auth
session        include        system-auth
session        optional       pam_xauth.so

  8. Verify the changes

    • The above changes mean that;
      • Members of groupa (user1 & user2) may only su to root & oracle
      • Members of groupb (user3 & user4) may only su to root
    • Log in as one of the test users and use su to try and change UID to a permited, and then, a banned target identity

Older Releases

  • Component
  • pam

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments