hello all... im gari and im new to the group... :)
this is my first post... :)....
---
> Date: Mon, 3 Sep 2001 17:13:36 +0800
> From: Percy <[EMAIL PROTECTED]>
> Subject: [plug] Superuser and Sudo
>
> hi all.
>
> i was tasked to administer a small dev server - and this is my first
time to do such responsibility.
> is there a way were i can select the users who can have the permission
to use the 'su' command? you may also
<< snip snip >>
i found a file just a month ago that deals with that... altho i havent
tried it, this might help you... :)
let me cut and paste....
here goes:
//////////////////////////////////////////////////////////////////////
- /etc/pam.d/su
----------------------
PAM (Pluggable Authentication Modules) is a suite of shared libraries
that allow the sysadmin to determine how applications authenticate users.
The great feature to this , is the ability to change the entire
authentication system without even touching the applications themselves.
Using pam.d we will try to block users from making use of su(substitute
user). su, is a deadly file, and it's mis-management could leave you
rooted. su trojans are a reality, especially in rootkits. We will therefore
be working with /etc/pam.d/su.
Step1:
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow use_authtok nullok
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_xauth.so
Insert the following lines at the top of /etc/pam.d/su:
---------------------------------------------------------------
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so debug
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow use_authtok nullok
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_xauth.so
These two lines basically mean, those of the group ``wheel'' will only
be allowed to su to root.
--------
Step2:
To allow a specific user to su to root, you need to make use of the
command usermod.
Assume the user admin already exists and is the user assigned to
adminstration of the machine. This is a GOOD time to mention, that never
ever, use ``root'' unless it's really neccessary. Rather change user group
to admin, sys, etc, and use that account to administrate the server. More
importanly if you gonna su to root over a telnet or remote login session,
make use of SSH (secure shell). Or instead of su, make use of SSH's root
binary.
{Gw01f@sek /Gw01f]# usermod -G10 admin
usermod, basically modifies a user account.
G - means supplementary group
10 - is the group number for ``wheel''
This basically changes the admin user, to the wheel group. Allowing
him/her to su to root.
//////////////////////////////////////////////////////////////////////
there...
i dont know if this is any good or if its the best way to do it... :)...
maybe others would like to comment on it... :)
cheers...
gari
:: [EMAIL PROTECTED] | http://pgpkey.melecio.org/
:: Key Fingerprint: 3bb0 4a3a 1fac c9ea d20a d838 7308 2114 7fd9 994c
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
