su without a password (not root)

William Hopkins's picture

Forums: 

On 05/27/11 at 05:28pm, Stanisław Findeisen wrote:
> On 2011-05-26 22:11, William Hopkins wrote:
> > On 05/26/11 at 07:31pm, Stanisław Findeisen wrote:
> >> pam_wheel lets you su to root without typing a password if you are a
> >> member of a specific group.
> >>
> >> I need a PAM module with more flexible applicant user / target user
> >> pairs management. For instance I'd like to be able to su with no
> >> password from user A to users B and C, but not to root.
> >>
> >> What is the way to do it?
> >
> > If you must use PAM, consider a usage of pam_listfile and an authorized list of target users, or setting sense=deny and blacklisting root specifically. Configuring multiple pam modules to work together may be necessary to meet every part of your requirement, and this can be complicated and invites serious study and testing prior to implementation.
>
> Hm, in pam_listfile man page I can't see any way to restrict *target*
> user set...
>
Unfortunately I can't find it in the manpage either. Perhaps I was being forgetful, I could have sworn you could stack it so pam_listfile was usable in this scenario.
Perhaps just user pam_wheel deny group='somegroup', and add all the users you want to be able to su (but not to root) to 'somegroup'. Then they can su to their heart's content, but not to root. Of course, if they could figure out a user who wasn't in 'somegroup', they might su to that user and then to root. So perhaps you should ensure all users are a member of 'somegroup' (i.e. use the users group).

Or use sudo, which is designed for ACL-type management. (: