The root user is able do "su -l <username>", even after configuring system with netgroup based access control using pam_access.so module.

Solution Verified - Updated -

Issue

  • The users which are not members of netgroup able to login, when root user do "su -l ", after configuring system with netgroup based access using pam_access.so.
    To disallow this added following line in /etc/pam.d/su file. However local users won't able to login in this case, even after localuser.so is added above it :
#%PAM-1.0
auth        sufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required    pam_wheel.so use_uid
auth        include     system-auth
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     sufficient  pam_localuser.so debug
session         required        pam_access.so accessfile=/etc/security/access.netgroup.conf debug
session     optional    pam_xauth.so

Environment

  • Red Hat Enterprise Linux 5
  • pam-0.99.6.2-6.el5_4.1
  • pam_access.so
  • netgroup

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content