On 2011-05-26 22:11, William Hopkins wrote:
> On 05/26/11 at 07:31pm, Stanisław Findeisen wrote:
>> pam_wheel lets you su to root without typing a password if you are a
>> member of a specific group.
>> I need a PAM module with more flexible applicant user / target user
>> pairs management. For instance I'd like to be able to su with no
>> password from user A to users B and C, but not to root.
>> What is the way to do it?
> If you must use PAM, consider a usage of pam_listfile and an authorized list of target users, or setting sense=deny and blacklisting root specifically. Configuring multiple pam modules to work together may be necessary to meet every part of your requirement, and this can be complicated and invites serious study and testing prior to implementation.
Hm, in pam_listfile man page I can't see any way to restrict *target*