[Freeipa-users] How to set a user group rule to allow su - oracle only?
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Jul 17 22:06:09 UTC 2012
Can I get this clarified as I am getting really confused,
Can I do this in/via IPA or not?
Yes or no I think will suffice.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________
From: Arpit Tolani [arpittolani at gmail.com]
Sent: Tuesday, 17 July 2012 11:13 p.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only?
Hello
On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones <Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>> wrote:
Hi,
If I login as say user1, I want that user to be able to su - oracle, but not to say su - root (or to any other user).
If user2 logins I want them unable to su - X at all and especially not root.
If an admin logins in I want them to be able to su - anybody...
In a way before I could do that with the wheel group and pam.
regards
Steven Jones
rob
# cat /etc/pam.d/su
auth sufficient pam_rootok.so
auth [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1
auth [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access
auth [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2
auth requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
With above configuration.
members of group1 will be able to su only to users in /etc/security/su-group1-access
members of group2 will be able to su only to users in /etc/security/su-group2-access
users which are not in group1 & group2 both will not be able to su to anyone
root will be able to su to anyone
Hope that helps, Change it as per your requirement.
Regards
Arpit Tolani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120717/8e0095dc/attachment.htm>
More information about the Freeipa-users
mailing list