4 Sep 2007 15:14
Re: how to prohibit user 's operation
Barry Brimer <lists <at> brimer.org>
2007-09-04 13:14:26 GMT
2007-09-04 13:14:26 GMT
On Tue, 4 Sep 2007, Les Mikesell wrote: > Ian jonhson wrote: >> Hi, >> >> I login a account, for example my_name_1, now I want to change to >> other account, named my_name_2. For example, >> >> $ whoami >> tom <--- legal user >> $ su john <-- illegal operation, should be refused. >> >> In this case, how to refuse the request by PAM ? >> >> The user going through this above case can be other persons, PAM >> should be able to determine whether the operation is legal. However, >> it is not easy to accomplish the operation control. >> >> The user may be a legal user, however his operation to switch account >> have to be prohibited. I used the pam_sm_authenticate to authenticate >> the user is legal. But when I refuse his operation (su, in above >> example) by pam_sm_acct_mgt, it can not get what I want. >> >> In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one. >> And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su >> operation is still in function and switch to john. >> >> What should I do? > > Normally the 'auth' entry in /etc/pam.d/su would be something that makes you > enter the password for the new user unless you are root or a member of a > trusted group. Isn't having to know the password enough to control the > operation? Under normal circumstances I would agree that simply knowing the password would be enough control. I have a situation where I have an application that can only do traditional unix passwd/shadow authentication which requires knowledge of the service account password. I do not however want to allow someone who knows the password (did I mention that I believe the application stores the password in clear text?) to be able to get a shell as the application user without using a logged shell. As a result, I use Enterprise Audit Shell controlled with sudo access to allow logged shell access. I use DenyGroup in sshd_config as well as a pam_listfile in /etc/pam.d/su to prevent any unapproved type of shell access as this user. Barry
RSS Feed