Permitting or Restricting a User's `su` Access to Privileged Accounts

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7
  • Red Hat Enterprise Linux (RHEL) 6
  • Red Hat Enterprise Linux (RHEL) 5

Issue

  • How do I configure pam to restrict su to some users only?
  • How can I restrict a group of users to su only some users?

Resolution

Using Group Membership to Control su Behaviour

  • PAM can be configured to allow different groups of users access to specific target UIDs through su
    • The PAM modules required are;
      • pam_succeed_if
      • pam_wheel.so
      • pam_listfile.so
  • PAM must be configured to permit users from a specific group, permission to use su, restricting the target identities allowed
  • With <group_name> and <file_with_allowed_target_UIDs> changed to reflect your deployment, the configuration looks likes this;

    auth           [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup <group_name>
    auth           required pam_wheel.so use_uid group=<group_name>
    auth           required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/<file_with_allowed_target_UIDs>
    

Example

  1. Add some users to test with

    [root@ldap ~]# useradd user1
    [root@ldap ~]# useradd user2
    [root@ldap ~]# useradd user3
    [root@ldap ~]# useradd user4
    
  2. Add some groups to test with

    [root@ldap ~]# groupadd groupa
    [root@ldap ~]# groupadd groupb
    
  3. Assign the users to their respective groups

    [root@ldap ~]# usermod -G groupa user1
    [root@ldap ~]# usermod -G groupa user2
    [root@ldap ~]# usermod -G groupb user3
    [root@ldap ~]# usermod -G groupb user4
    
  4. Confirm they are correctly assigned by checking the output of getent

    [root@ldap ~]# getent group groupa
    groupa:*:16777216:user2,user1
    [root@ldap ~]# getent group groupb
    groupb:*:16777217:user4,user3
    
  5. Add the target UIDs that groupa users are allowed to access in /etc/security/su-groupa-access

    [root@ldap ~]# cat /etc/security/su-groupa-access
    oracle
    root
    
    • NOTE: /etc/security/su-groupa-access must be a plaintext file that is not world writable.
  6. Add the target UIDs that groupb users are allowed to access in /etc/security/su-groupb-access

    [root@ldap ~]# cat /etc/security/su-groupb-access
    root
    
    • NOTE: /etc/security/su-groupb-access must be a plaintext file that is not world writable.
  7. Configure /etc/pam.d/su

    [root@ldap ~]# cat /etc/pam.d/su
    auth           sufficient     pam_rootok.so
    auth           [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup groupa
    auth           required pam_wheel.so use_uid group=groupa
    auth           required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-groupa-access
    auth           [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup groupb
    auth           required pam_wheel.so use_uid group=groupb
    auth           required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-groupb-access
    auth           include        system-auth
    account        sufficient     pam_succeed_if.so uid = 0 use_uid quiet
    account        include        system-auth
    password       include        system-auth
    session        include        system-auth
    session        optional       pam_xauth.so
    
  8. Verify the changes

    • The above changes mean that;
      • Members of groupa (user1 & user2) may only su to root & oracle
      • Members of groupb (user3 & user4) may only su to root
    • Log in as one of the test users and use su to try and change UID to a permited, and then, a banned target identity

Older Releases

  • Component
  • pam

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

11 Comments

Hello

Is it possible to have a user in two differents groups ? for example, user1 will be in groupa and groupb.

Thanks

It's not so clear... what happens with users that's not belong to group A nor group B

Hello Seems it not possible to have a user in two differents groups ? for example, user1 will be in groupa and groupb

I've found that restricting su access by netgroups is possible too. /etc/pam.d/su Test box is RHEL 6.10

auth           [success=2 default=ignore] pam_succeed_if.so use_uid user innetgr <netgroup>
This is a bogus group, but seems necessary to make it work.
auth            required        pam_wheel.so use_uid  group=borkborkbork
auth            include         system-auth

Is this behavior intentional? If not, it needs to be! Thanks.

Restriction is not working

This doesn't seem to work for AD/domain groups. Does this have to be a local group?

if you use group entry it will work

auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup adgroup01-user auth required pam_wheel.so use_uid group=adgroup01-user

auth required pam_listfile.so item=group sense=allow onerr=fail file=/etc/security/su-p-group-access2

cat /etc/security/su-p-group-access2 adgroup01-admin.

on above example adgroup01-user and adgroup01-admin are AD group'.s

I added another groupc and added user5 an user6. Now how to restrict user5 and user6 to su to root. With the above it is not working ?

same issue here.. hope someone answers..

If you want a group that does not have su priv, you can create a group like your groupc [root@ldap ~]# groupadd groupc

then add the users to that group [root@ldap ~]# usermod -G groupc user5 [root@ldap ~]# usermod -G groupc user6

create a blank or remove the root priv inside your new groupc access. [root@ldap ~]# cat /etc/security/su-groupc-access

All users in this groupc will not be able to su.

Hello,

How to permit su access for an AD/domain user, where group is created at IDM(Redhat).