Permitting or Restricting a User's `su` Access to Privileged Accounts
Environment
- Red Hat Enterprise Linux (RHEL) 7
- Red Hat Enterprise Linux (RHEL) 6
- Red Hat Enterprise Linux (RHEL) 5
Issue
- How do I configure pam to restrict su to some users only?
- How can I restrict a group of users to su only some users?
Resolution
Using Group Membership to Control su
Behaviour
PAM
can be configured to allow different groups of users access to specific target UIDs throughsu
- The
PAM
modules required are;pam_succeed_if
pam_wheel.so
pam_listfile.so
- The
PAM
must be configured to permit users from a specific group, permission to usesu
, restricting the target identities allowed-
With
<group_name>
and<file_with_allowed_target_UIDs>
changed to reflect your deployment, the configuration looks likes this;auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup <group_name> auth required pam_wheel.so use_uid group=<group_name> auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/<file_with_allowed_target_UIDs>
Example
-
Add some users to test with
[root@ldap ~]# useradd user1 [root@ldap ~]# useradd user2 [root@ldap ~]# useradd user3 [root@ldap ~]# useradd user4
-
Add some groups to test with
[root@ldap ~]# groupadd groupa [root@ldap ~]# groupadd groupb
-
Assign the users to their respective groups
[root@ldap ~]# usermod -G groupa user1 [root@ldap ~]# usermod -G groupa user2 [root@ldap ~]# usermod -G groupb user3 [root@ldap ~]# usermod -G groupb user4
-
Confirm they are correctly assigned by checking the output of
getent
[root@ldap ~]# getent group groupa groupa:*:16777216:user2,user1 [root@ldap ~]# getent group groupb groupb:*:16777217:user4,user3
-
Add the target UIDs that
groupa
users are allowed to access in/etc/security/su-groupa-access
[root@ldap ~]# cat /etc/security/su-groupa-access oracle root
- NOTE:
/etc/security/su-groupa-access
must be a plaintext file that is not world writable.
- NOTE:
-
Add the target UIDs that
groupb
users are allowed to access in/etc/security/su-groupb-access
[root@ldap ~]# cat /etc/security/su-groupb-access root
- NOTE:
/etc/security/su-groupb-access
must be a plaintext file that is not world writable.
- NOTE:
-
Configure
/etc/pam.d/su
[root@ldap ~]# cat /etc/pam.d/su auth sufficient pam_rootok.so auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup groupa auth required pam_wheel.so use_uid group=groupa auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-groupa-access auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup groupb auth required pam_wheel.so use_uid group=groupb auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-groupb-access auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so
-
Verify the changes
- The above changes mean that;
- Members of groupa (user1 & user2) may only
su
to root & oracle - Members of groupb (user3 & user4) may only
su
to root
- Members of groupa (user1 & user2) may only
- Log in as one of the test users and use
su
to try and change UID to a permited, and then, a banned target identity
- The above changes mean that;
Older Releases
- If you are running Red Hat Enterprise Linux 4, similar guidance can be found in How do I control PAM access to 'su'?
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments