| View previous topic :: View next topic |
| Author |
Message |
grafty
n00b
Joined: 27 Jan 2003
Posts: 33
|
 Posted: Mon Jan 27, 2003 7:15 am Post subject: Access to su without being in the wheel group (the PAM way) |
 |
|
Access to su without being in the wheel group (the PAM way)
If you're like me, then you're a little nervous about granting your non-root user access to the wheel group just so you can use su when you need to. Users in the wheel group are a little more powerful than the standard user, and I like to keep my non-root user as powerless as possible (it's a power trip  )
There are a couple of ways to do this. In particular, you can do this with sudo and the /etc/sudoers file, but I am not adept in the ways of sudo (perhaps someone can post a reply instructing how to do this with sudo?), and I prefer the simpler solution of using PAM (Pluggable Authentication Modules) directly.
First, make sure that you have PAM installed.
| Code: | | emerge sys-libs/pam |
Now, edit the /etc/pam.d/su file. This file contains configuration information about which PAM modules to load to enforce security with respect to the su command. In this file, look for the line that looks like this:
| Code: | | auth required /lib/security/pam_wheel.so use_uid |
This line loads the pam_wheel.so module, which tells PAM that in order to use su, it is required that the requesting user be a part of the wheel group. We can change this default behavior by telling PAM that we want it to check for a different group. Simply append group=<nameOfGroup> to the end of that line to make su recognize a group other than wheel. For example:
| Code: | | auth required /lib/security/pam_wheel.so use_uid group=sugrp |
In this case, PAM will require that any user requesting to use the su command must be a member of the sugrp group.
All that remains is adding to the appropriate group all of the users that you want to use su.
NOTE: This method affects all use of the su command, even to users other than the root. That is, if a particular user in not a member of the appropriate group (wheel or otherwise), then that user cannot use su at all, even to su to another non-root user. Power trip, baby! |
|
| Back to top |
|
 |
drakonite
l33t
Joined: 02 Nov 2002
Posts: 768
Location: Lincoln, NE
|
| Posted: Mon Jan 27, 2003 9:37 am Post subject: |
|
|
What extra powers does a person in the wheel group have besides being able to use su?
_________________
Shoot Pixels Not People
My GPG/PGP Public key |
|
| Back to top |
|
|
grafty
n00b
Joined: 27 Jan 2003
Posts: 33
|
| Posted: Mon Jan 27, 2003 7:35 pm Post subject: |
|
|
The wheel group (used more commonly in BSD's than in linuxes) is traditionally used for quasi-admistrative purposes. For a list of all of the files that wheel members have access to, try this:
| Code: | | find / -group wheel |
On my system, for example, members of the wheel group have access to almost 7000 files to which normal users do not have access. |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Mon Jan 27, 2003 9:08 pm Post subject: |
|
|
But if somebody's a member of the sugrp group, they can become root and do anything anybody in wheel could have done.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
compu-tom
Guru
Joined: 09 Jan 2003
Posts: 415
Location: Berlin, Germany
|
| Posted: Mon Jan 27, 2003 9:17 pm Post subject: |
|
|
What if I only want to give a user the permission to "su anybody" where anybody is not root?
Su doesn't mean necessarily becoming root.
Nevertheless the user has "wheel" permissions now because I had to add the user to "wheel"... |
|
| Back to top |
|
|
grafty
n00b
Joined: 27 Jan 2003
Posts: 33
|
| Posted: Mon Jan 27, 2003 9:36 pm Post subject: |
|
|
| rac wrote: | | But if somebody's a member of the sugrp group, they can become root and do anything anybody in wheel could have done. |
Only if they know the root password. If you're a member of the wheel group, you automatically have access to wheel files. If you're not a member of the wheel group, but instead a member of the sugrp group, then you CAN su to root, but you have to enter in the password.
Even if you didn't have to enter the root password (which you can set up), you would still be safer running things as your standard non-root user because you know you can't break things that wheel users can break (unless you su to root). It's the whole purpose of not running everything as root in the first place. |
|
| Back to top |
|
|
rtn
Guru
Joined: 15 Nov 2002
Posts: 427
|
| Posted: Mon Jan 27, 2003 10:44 pm Post subject: Re: Access to su without being in the wheel group (the PAM w |
|
|
| grafty wrote: |
There are a couple of ways to do this. In particular, you can do this with sudo and the /etc/sudoers file, but I am not adept in the ways of sudo (perhaps someone can post a reply instructing how to do this with sudo?), and I prefer the simpler solution of using PAM (Pluggable Authentication Modules) directly.
|
It's pretty easy to set up with sudo. You can just add the user to /etc/sudoers
with whatever permissions that user needs. You could use this for example:
| Code: | | user ALL=(ALL) /bin/su,/bin/bash |
Then you could either use sudo to give you a subshell with root privs:
or you could manually sudo su or bash
| Code: | sudo /bin/su -
sudo /bin/bash
|
It's all covered in the man pages for sudo, visudo, and sudoers.
--rtn |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Tue Jan 28, 2003 5:24 pm Post subject: |
|
|
I just got a new version of /etc/pam.d/su that has commented-out sample lines for making an /etc/security/suauth.allow. Perhaps this would be equivalent?
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
grafty
n00b
Joined: 27 Jan 2003
Posts: 33
|
| Posted: Tue Jan 28, 2003 9:58 pm Post subject: |
|
|
| rac wrote: | | I just got a new version of /etc/pam.d/su that has commented-out sample lines for making an /etc/security/suauth.allow. Perhaps this would be equivalent? |
The suauth.allow file is a way to allow particular users to use su by enumerating them in a file. This is similar to granting users access to su by enumerating them in the sudoers file, and its effects are identical to creating an "su-autherized" linux group. The difference between the three of these methods is the file that dictates which users are allowed access to su.
My personal preference is to keep as much "group" information (including the "group" that has access to su) in the actual /etc/group file. |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
