I just tried the non-login-shell with those settings, and it didn't offer any change from the previous response.
(I primarily work with CentOS6.6 at work but am testing Fedora at home and would like to implement similar security settings)[ user@localhost ~]$ su - <<EOF
> echo ""
> id
> EOF
standard in must be a tty
> id
> EOF
standard in must be a tty
I'm going to look into PAM to check for related files, please let me know if you have more advice on this issue as technically this allows for scripted access to root (good for initial setup of production environments provided you lock it down afterwords, however it could also be exploited by intelligent malware).
Thanks, and I look forward to hearing from you.
On Wed, Aug 19, 2015 at 9:55 AM, Scott Mattan <s-mattan@xxxxxxxxxxxx> wrote:
Now for my lack of understanding of the mailing list.Luckily this CentOS6.6 system is also has a GUI so I will try to replicate from a non-login-shell and get back to you with more information.I hadn't tested the su-l file for differences yet, but it is primarily for login-shells... which admittedly my CenOS6.6 connection is through a login-shell as it is through ssh, whereas the Fedora22 is through a non-login-shell from the GUI.So while this may be the issue, I have to believe that it is not the sole issue and there must be another cause.[ root@localhost ~ ]# su userWhen I try to mimic the settings for Fedora 22 in CentOS6.6 to test if this is the cause I become unable to open sockets.CentOS6.6:I have the following differences in my /etc/pam.d/su file:Sorry about the other post, this one may not come in correctly either...In anycase, I will explain this after the main issue...
Fedora22:
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
could not open session
On the computer, I don't understand how to reply without having to copy information from multiple sources. The entire list comes in a single post (very difficult to read) and replying to one means replying to all.
Additionally, operating on my phone doesn't even permit me to view the posts, and I must manually go to the archives to read any of the new additions.Is there a better way of viewing this list without having to copy paste titles and contents?
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
