如何在 Linux 中仅阻止某些用户的 su 访问

tag-icon tag-icon pam su
如何在 Linux 中仅阻止某些用户的 su 访问

我想以某种方式配置 pam,以便我的某些用户只能通过 su 变为某些用户。

在 RHEL4 中,我使用

/etc/pam.d/su

auth       required     /lib/security/$ISA/pam_stack.so service=system-auth 
auth       sufficient   /lib/security/$ISA/pam_stack.so service=suroot-members 
auth       required     /lib/security/$ISA/pam_deny.so

/etc/pam.d/suroot 成员

auth       required     /lib/security/$ISA/pam_wheel.so use_uid group=suroot
auth       required     /lib/security/$ISA/pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/sumembers-access

使用上述配置,组 suroot 中的用户只能 su 到 sumembers-access 中提到的用户名。但 OEL6 已弃用 pam_stack.so。我尝试按以下方式进行配置,但效果不如预期。

/etc/pam.d/su

auth      sufficient  pam_rootok.so
auth      include     system-auth
auth      include     group2-members
auth      include     group1-members
auth      required    pam_deny.so
account   sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account   include     system-auth
password  include     system-auth
session   include     system-auth
session   optional    pam_xauth.so

/etc/pam.d/group2-成员

auth required pam_wheel.so use_uid group=group2
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access

以上不起作用,所有用户都可以 su 到所有人。有人能告诉我我做错了什么吗?

答案1

希望这会有所帮助。

# cat /etc/pam.d/su
auth            sufficient      pam_rootok.so
auth            [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1
auth            [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access
auth            [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2
auth            requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
auth            include system-auth
account              sufficient        pam_succeed_if.so uid = 0 use_uid quiet
account              include                system-auth
password             include                system-auth
session              include                system-auth
session              optional        pam_xauth.so

# cat /etc/security/su-group1-access |egrep -v "^#|^$"
oracle
user

# cat /etc/security/su-group2-access |egrep -v "^#|^$"
root

原始答案:使用下面

# cat /etc/pam.d/su |egrep -v "^#|^$"
auth        sufficient  pam_rootok.so
auth        [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup group1
auth        required pam_wheel.so use_uid group=group1
auth        required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access
auth        [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup group2
auth        required pam_wheel.so use_uid group=group2
auth        required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
auth        include     system-auth
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     optional    pam_xauth.so

# cat /etc/security/su-group1-access |egrep -v "^#|^$"
oracle
user

# cat /etc/security/su-group2-access |egrep -v "^#|^$"
root

相关内容