owkay, i added auth sufficient /lib/security/pam_stack.so service=su-limiting to /etc/pam.d/su. /etc/pam.d/su-limiting contains auth sufficient /lib/security/pam_stack.so service=members-secoff auth required /lib/security/pam_deny.so /etc/pam.d/members-secoff contains auth required /lib/security/pam_wheel.so use_uid group=nonex auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail file=/etc/membergroups/secoff and /etc/membergroups/secoff contains secoff the group nonex _does_ exist :-) but not a single user is a member of said group. still, any user part of the wheel group can su to secoff. is this a prob where the wheel thingie overrides above settings ? or did i miss something? thnx cnf On Thu, 2002-12-19 at 16:13, Werner Puschitz wrote: > > You might want to check out > http://www.puschitz.com/Security.shtml > - Setting Up "su" Restrictions for "root" > - Setting Up "su" Restrictions for Other Accounts > > I welcome any feedback. > > Werner > > > On 19 Dec 2002, cnf wrote: > > > nod, i figured it would be something like that, but i cant find the > > parameter :-/ > > > > mind posting it when you can check it ? > > > > thnx > > > > On Thu, 2002-12-19 at 03:18, Nelson Sampaio Araujo Junior wrote: > > > You can specify this on the "su" pam rules in /etc/pam.d/su. There is a > > > parameter for "not allowed" groups/users. (sorry for not telling the > > > parameter, but I'm without my unix access right now to check for you). > > > > > > - Nelson > > > > > > -----Original Message----- > > > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com] On Behalf > > > Of cnf > > > Sent: Wednesday, December 18, 2002 5:49 PM > > > To: pam-list@redhat.com > > > > > > i have 1 specific user (uid 400 *grin*) that i want to deny ALL login > > > attempts to. > > > > > > so only direct console login would be allowed. > > > > > > i got it all working, the only thing i cant seem to get done is the su > > > part. > > > > > > how do i tell pam, that ANY su attempt to the uid 400 is to be forbidden > > > ? > > > > > > no matter is the su-ing user is in group wheel, or root himself, su to > > > uid 400 needs to be denied. > > > > > > ideally i would want that user only to be able to log in on ttyS0, but > > > for now i'll settle on solving the su prob :-) > > > > > > any suggestions ? > > > > > > > > > cnf > > > -- > > > Please avoid sending me Word or PowerPoint attachments. > > > See http://www.fsf.org/philosophy/no-word-attachments.html > > > > > > > > > > > > _______________________________________________ > > > > > > Pam-list@redhat.com > > > https://listman.redhat.com/mailman/listinfo/pam-list > > > > > > > > > > > > _______________________________________________ > > > > > > Pam-list@redhat.com > > > https://listman.redhat.com/mailman/listinfo/pam-list > > > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list -- Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
