On 05/26/11 at 07:31pm, Stanisław Findeisen wrote: > pam_wheel lets you su to root without typing a password if you are a > member of a specific group. > > I need a PAM module with more flexible applicant user / target user > pairs management. For instance I'd like to be able to su with no > password from user A to users B and C, but not to root. > > What is the way to do it?
If you must use PAM, consider a usage of pam_listfile and an authorized list of target users, or setting sense=deny and blacklisting root specifically. Configuring multiple pam modules to work together may be necessary to meet every part of your requirement, and this can be complicated and invites serious study and testing prior to implementation. If PAM is not an absolute requirement, simply consider allowing the specific su commands via sudo. The sudo configuration is a much more straightforward access control and can be easily configured not to require passwords. A basic sudoers example is listed: User_Alias SU_USERS = username1,username2,username3 #users who may use su-to-user Cmnd_Alias SU_NOT_ROOT = /usr/bin/su - targetuser1, /usr/bin/su - targetuser2 SU_USERS ALL = NOPASSWD: SU_NOT_ROOT now username1, 2 and 3 can sudo su - targetuser1 or sudo su - targetuser2 without password, and attempts to su - or sudo su - will fail and be logged. Hope this helps! -- Liam
signature.asc
Description: Digital signature
