Ian jonhson wrote:
Hi, I login a account, for example my_name_1, now I want to change to other account, named my_name_2. For example, $ whoami tom <--- legal user $ su john <-- illegal operation, should be refused. In this case, how to refuse the request by PAM ? The user going through this above case can be other persons, PAM should be able to determine whether the operation is legal. However, it is not easy to accomplish the operation control. The user may be a legal user, however his operation to switch account have to be prohibited. I used the pam_sm_authenticate to authenticate the user is legal. But when I refuse his operation (su, in above example) by pam_sm_acct_mgt, it can not get what I want. In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one. And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su operation is still in function and switch to john. What should I do?
Normally the 'auth' entry in /etc/pam.d/su would be something that makes you enter the password for the new user unless you are root or a member of a trusted group. Isn't having to know the password enough to control the operation?
-- Les Mikesell lesmikesell@xxxxxxxxx _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
