Re: how to prohibit user 's operation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 4 Sep 2007, Les Mikesell wrote:


Ian jonhson wrote:

Hi,

I login a account, for example my_name_1, now I want to change to
other account, named my_name_2. For example,

$ whoami
tom           <--- legal user
$ su john   <--  illegal operation, should be refused.

In this case, how to refuse the request by PAM ?

The user going through this above case can be other persons, PAM
should be able to determine whether the operation is legal. However,
it is not easy to accomplish the operation control.

The user may be a legal user, however his operation to switch account
have to be prohibited. I used the pam_sm_authenticate to authenticate
the user is legal. But when I refuse his operation (su, in above
example) by pam_sm_acct_mgt, it can not get what I want.

In pam_sm_authenticate, it returns PAM_SUCCESS if user is legal one.
And, in pam_sm_acct_mgt, I want to return PAM_AUTH_ERR, but the su
operation is still in function and switch to john.

What should I do?
Normally the 'auth' entry in /etc/pam.d/su would be something that makes you enter the password for the new user unless you are root or a member of a trusted group. Isn't having to know the password enough to control the operation?
Under normal circumstances I would agree that simply knowing the password would be enough control. I have a situation where I have an application that can only do traditional unix passwd/shadow authentication which requires knowledge of the service account password. I do not however want to allow someone who knows the password (did I mention that I believe the application stores the password in clear text?) to be able to get a shell as the application user without using a logged shell. As a result, I use Enterprise Audit Shell controlled with sudo access to allow logged shell access. I use DenyGroup in sshd_config as well as a pam_listfile in /etc/pam.d/su to prevent any unapproved type of shell access as this user. 

Barry

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux