Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Access to su without being in the wheel group (the PAM way)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
nadampel
n00b
n00b


Joined: 14 Mar 2018
Posts: 1

PostPosted: Wed Mar 21, 2018 10:16 am    Post subject: Access to su without being in the wheel group (the PAM way) Reply with quote

If you're like me, then you're a little nervous about granting your non-root user access to the wheel group just so you can use su when you need to. Users in the wheel group are a little more powerful than the standard user, and I like to keep my non-root user as powerless as possible (it's a power trip :) )

There are a couple of ways to do this. In particular, you can do this with sudo and the /etc/sudoers file, but I am not adept in the ways of sudo (perhaps someone can post a reply instructing how to do this with sudo?), and I prefer the simpler solution of using PAM (Pluggable Authentication Modules) directly.

First, make sure that you have PAM installed.
Code:
emerge sys-libs/pam


Now, edit the /etc/pam.d/su file. This file contains configuration information about which PAM modules to load to enforce security with respect to the su command. In this file, look for the line that looks like this:
Code:
auth required /lib/security/pam_wheel.so use_uid


This line loads the pam_wheel.so module, which tells PAM that in order to use su, it is required that the requesting user be a part of the wheel group. We can change this default behavior by telling PAM that we want it to check for a different group. Simply append group=<nameOfGroup> to the end of that line to make su recognize a group other than wheel. For example:

Code:
auth required /lib/security/pam_wheel.so use_uid group=sugrp


In this case, PAM will require that any user requesting to use the su command must be a member of the sugrp group.

All that remains is adding to the appropriate group all of the users that you want to use su.

NOTE: This method affects all use of the su command, even to users other than the root. That is, if a particular user in not a member of the appropriate group (wheel or otherwise), then that user cannot use su at all, even to su to another non-root user. Power trip, baby! :)
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3350

PostPosted: Wed Mar 21, 2018 11:38 am    Post subject: Reply with quote

Doesn't this just confer the privileges of "wheel" to the new group you've chosen? Isn't this just wheel, by another name?
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12823

PostPosted: Thu Mar 22, 2018 1:51 am    Post subject: Reply with quote

Mostly, yes. It does separate wheel's ability to su from all the other privileges that the wheel group grants, so you can give someone those privileges and not su or vice versa. On my system, those privileges amount to the ability to run /usr/sbin/cron. That's the only filesystem-related permission where wheel is used. So in practice, yes, it's almost equivalent to merely renaming wheel.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5140
Location: The Peanut Gallery

PostPosted: Sun Apr 08, 2018 6:20 pm    Post subject: Reply with quote

Hu wrote:
Mostly, yes. It does separate wheel's ability to su from all the other privileges that the wheel group grants, so you can give someone those privileges and not su or vice versa. On my system, those privileges amount to the ability to run /usr/sbin/cron. That's the only filesystem-related permission where wheel is used. So in practice, yes, it's almost equivalent to merely renaming wheel.
The underlined emphasis is dangerous there, as sysadmins can and will set up their machines to use the wheel group on what a programmer might think is an "ad-hoc" basis, but is definitely intended usage.

Further, that's only on your machine, running a subset of available and future software (the set we must handle, or at least allow for.)

@nadampel: it seems like you need: visudo wrt the first part of your post.
Secondly, it's good to see someone sharing PAM configuration. Keep it up.

Not sure I share your megalomania ;) but I highly recommend you /join #bash on IRC: chat.freenode.org or .net for more sysadmin knowhow.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum