[Freeipa-users] How to set a user group rule to allow su - oracle only?

Steven Jones Steven.Jones at vuw.ac.nz
Tue Jul 17 22:06:09 UTC 2012 

Can I get this clarified as I am getting really confused,

Can I do this in/via IPA or not?

Yes or no I think will suffice.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: Arpit Tolani [arpittolani at gmail.com]
Sent: Tuesday, 17 July 2012 11:13 p.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?

Hello

On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones <Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>> wrote:
Hi,

If I login as say user1,  I want that user to be able to su - oracle, but not to say su - root (or to any other user).

If user2 logins I want them unable to su - X at all and especially not root.

If an admin logins in I want them to be able to su - anybody...

In a way before I could do that with the wheel group and pam.

regards

Steven Jones
rob


# cat /etc/pam.d/su
auth            sufficient      pam_rootok.so
auth            [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1
auth            [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access
auth            [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2
auth            requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
auth            include system-auth
account              sufficient        pam_succeed_if.so uid = 0 use_uid quiet
account              include                system-auth
password             include                system-auth
session              include                system-auth
session              optional        pam_xauth.so

With above configuration.

members of group1 will be able to su only to users in /etc/security/su-group1-access
members of group2 will be able to su only to users in /etc/security/su-group2-access
users which are not in group1 & group2 both will not be able to su to anyone
root will be able to su to anyone

Hope that helps, Change it as per your requirement.

Regards
Arpit Tolani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120717/8e0095dc/attachment.htm>

More information about the Freeipa-users mailing list