On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones <steven.jo...@vuw.ac.nz>wrote:
> If I login as say user1, I want that user to be able to su - oracle, but
> not to say su - root (or to any other user).
> If user2 logins I want them unable to su - X at all and especially not
> If an admin logins in I want them to be able to su - anybody...
> In a way before I could do that with the wheel group and pam.
> Steven Jones
# cat /etc/pam.d/su
auth sufficient pam_rootok.so
auth [default=1 success=ok ignore=ignore] pam_wheel.so
trust use_uid group=group1
auth [success=2 default=die] pam_listfile.so item=user
sense=allow onerr=fail file=/etc/security/su-group1-access
auth [default=die success=ok ignore=ignore] pam_wheel.so
trust use_uid group=group2
auth requisite pam_listfile.so item=user sense=allow
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
With above configuration.
members of group1 will be able to su only to users in
members of group2 will be able to su only to users in
users which are not in group1 & group2 both will not be able to su to anyone
root will be able to su to anyone
Hope that helps, Change it as per your requirement.
Freeipa-users mailing list