Re: how to prohibit user 's operation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ian jonhson wrote:
Hi,

I login a account, for example my_name_1, now I want to change to
other account, named my_name_2. For example,

$ whoami
tom           <--- legal user
$ su john   <--  illegal operation, should be refused.

In this case, how to refuse the request by PAM ?

The user going through this above case can be other persons, PAM
should be able to determine whether the operation is legal. However,
it is not easy to accomplish the operation control.

The user may be a legal user, however his operation to switch account
have to be prohibited. I used the pam_sm_authenticate to authenticate
the user is legal. But when I refuse his operation (su, in above
example) by pam_sm_acct_mgt, it can not get what I want.

In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one.
And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su
operation is still in function and switch to john.

What should I do?

Normally the 'auth' entry in /etc/pam.d/su would be something that makes you enter the password for the new user unless you are root or a member of a trusted group. Isn't having to know the password enough to control the operation?

--
  Les Mikesell
   lesmikesell@xxxxxxxxx

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux