Using pam_succeed_if to restrict user login to single group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm running Debian 9. I'm no PAM expert. What I want to do is restrict user logins to uids that are members of the "goodgroup" group. I forget where I got this solution originally, but this is what I have in my /etc/pam.d/common-account:

#####
.
.
.
# here are the per-package modules (the "Primary" block)
account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
# here's the fallback if no module succeeds
account	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
account	required			pam_krb5.so minimum_uid=1000
account	sufficient			pam_localuser.so 

# >>> This is where I'm trying to do it <<<
account	requisite                       pam_succeed_if.so user ingroup goodgroup

account	[default=bad success=ok user_unknown=ignore]	pam_sss.so 
account	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore auth
info_unavail=ignore default=bad]	pam_ldap.so minimum_uid=1000
# end of pam-auth-update config
#####



Let's say I have a uid "baduid" that's not in the required group. What I'd like to happen is that trying "su baduid" as root should fail completely.. What actually happens is that the su is successful but baduid has no associated home directory. 

Here's what I see in the log file when I do "su baduid":

May  3 16:08:03 myhost su[3014]: pam_succeed_if(su:account): requirement "user ingroup goodgroup" not met by user "baduid"
May  3 16:08:03 myhost su[3014]: Successful su for baduid by root
May  3 16:08:03 myhost su[3014]: + /dev/pts/0 root:baduid
May  3 16:08:03 myhost su[3014]: pam_unix(su:session): session opened for user baduid by root(uid=0)
May  3 16:08:03 myhost su[3014]: pam_systemd(su:session): Cannot create session: Already running in a session

Any help in trying to achieve my goal would be greatly appreciated.

Matthew Wyneken

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux