----- Original Message ---- From: John Summerfield <[email protected]> To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list <[email protected]> Sent: Wed, October 21, 2009 10:03:59 PM Subject: Re: [rhelv5-list] RHEL 5.2 - Winbind and pam.d/su restrictions
Matthew J. Salerno wrote: > 5.2 x86_64 > Samba: samba-3.0.28-0.el5.8 > PAM: pam-0.99.6.2-3.27.el5 > > The server is successfully joined to AD and AD users can log in with no > issues.� The issue I am having has to do with the su command.� I want to > allow only a handful of groups to be able to use the su command.� I updated > the /etc/pam/su as shown below, but I am getting the following error in my > secure log: > su: pam_listfile(su-l:auth): Refused user root for service su-l > > getent group/passwd are both working and sudo works with the groups as well, > just not pam_listfile.so.� What's worse is that if I remove the line with > the�pam_listfile.so and use pam_wheel and specify the domain group, it > works.� So by deduction, the issue has to�be with the pam_listfile.so module > config.� I know that I cannot be the only one who has run into this.�Also, > this fails for local users in the wheel group. > > If I add the root group, it looks like every user can su, so there is no gain. > > Does anyone have an alternative or see an error in my config? > I've not willingly used su since I discovered sudo some years ago, and sudo is the standard way of controlling privileged access on ubuntu and Mac OS X. I think the model where every administrator has to know the root password is flawed. By default, sudo requires a user's own password, and it's somewhat configurable as to what users can do, and importantly to you, rules are readily applied to users in particular groups. For example, I have a couple of CGI scripts that can update firewall rules. Sudo allows the web server to run the scripts without a password, but other users cannot use them to update the firewall, unless they're in a group with that privilege. -- Cheers John -- spambait [email protected] [email protected] -- Advice http://webfoot.com/advice/email.top.php http://www.catb.org/~esr/faqs/smart-questions.html http://support.microsoft.com/kb/555375 You cannot reply off-list:-) _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list I completely agree with your statement. The plan is to go with sudo but block su. Multi-user machine, everyone has access to "su -", I only want admins to be able to use it if absolutely needed. If nobody is watching the security logs, what's to stop a brute force password cracking script from trying to get the root password? Sure policies and procedures should be able to prevent it - Log monitoring, root passwd changed every 30 days, etc. but I feel that locking down su is just as important, and I know I can't be the only one. _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
