Hello On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones <steven.jo...@vuw.ac.nz>wrote:
> Hi, > > If I login as say user1, I want that user to be able to su - oracle, but > not to say su - root (or to any other user). > > If user2 logins I want them unable to su - X at all and especially not > root. > > If an admin logins in I want them to be able to su - anybody... > > In a way before I could do that with the wheel group and pam. > > regards > > Steven Jones > rob > # cat /etc/pam.d/su auth sufficient pam_rootok.so auth [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1 auth [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access auth [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2 auth requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so With above configuration. members of group1 will be able to su only to users in /etc/security/su-group1-access members of group2 will be able to su only to users in /etc/security/su-group2-access users which are not in group1 & group2 both will not be able to su to anyone root will be able to su to anyone Hope that helps, Change it as per your requirement. Regards Arpit Tolani
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users