My first thought was that you could limit users by restricting the group and everyone execute permission. To test my theory I did a search using "find / -iname su". My searched turned up the file /etc/pam.d/su. I have not tested anything, but there are comments in this config file that should put you on the right track. My copy of the /etc/pam.d/su is pasted here... [root@mail1 pam.d]# cat su #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so [root@mail1 pam.d]# pwd /etc/pam.d [root@mail1 pam.d]# Joseph A. Terrell Senior Internet Analyst Internet Services HighTower, Inc., 7301 N. Lincoln, Suite 100, Lincolnwood, IL 60712 (v) 847.674.0081 (f) 847.674.0544 ****HighTower's Retainer Control - www.hightowerinc.com/retainercontrol ****HighTower's Best Solutions - www.hightowerinc.com/best >>> Florin.Florian@net.utcluj.ro 10/24/01 10:17AM >>> Hi, How can I restrict for some of the users to take "su -" in the telnet console? Thank's for your help .... _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
