Using pam_succeed_if to restrict user login to single group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I'm running Debian 9. I'm no PAM expert. What I want to do is restrict user logins to uids that are members of the "goodgroup" group. I forget where I got this solution originally, but this is what I have in my /etc/pam.d/common-account:

# here are the per-package modules (the "Primary" block)
account	[success=1 new_authtok_reqd=done default=ignore] 
# here's the fallback if no module succeeds
account	requisite
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account	required
# and here are more per-package modules (the "Additional" block)
account	required minimum_uid=1000
account	sufficient 

# >>> This is where I'm trying to do it <<<
account	requisite              user ingroup goodgroup

account	[default=bad success=ok user_unknown=ignore] 
account	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore auth
info_unavail=ignore default=bad] minimum_uid=1000
# end of pam-auth-update config

Let's say I have a uid "baduid" that's not in the required group. What I'd like to happen is that trying "su baduid" as root should fail completely.. What actually happens is that the su is successful but baduid has no associated home directory. 

Here's what I see in the log file when I do "su baduid":

May  3 16:08:03 myhost su[3014]: pam_succeed_if(su:account): requirement "user ingroup goodgroup" not met by user "baduid"
May  3 16:08:03 myhost su[3014]: Successful su for baduid by root
May  3 16:08:03 myhost su[3014]: + /dev/pts/0 root:baduid
May  3 16:08:03 myhost su[3014]: pam_unix(su:session): session opened for user baduid by root(uid=0)
May  3 16:08:03 myhost su[3014]: pam_systemd(su:session): Cannot create session: Already running in a session

Any help in trying to achieve my goal would be greatly appreciated.

Matthew Wyneken

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux