一部のユーザーが一部のユーザーのみにsuできるようにpamを構成したいと思います。
RHEL4では、
/etc/pam.d/su
auth required /lib/security/$ISA/pam_stack.so service=system-auth
auth sufficient /lib/security/$ISA/pam_stack.so service=suroot-members
auth required /lib/security/$ISA/pam_deny.so
/etc/pam.d/suroot-members
auth required /lib/security/$ISA/pam_wheel.so use_uid group=suroot
auth required /lib/security/$ISA/pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/sumembers-access
上記の構成では、グループsurootのユーザーは、sumembers-accessに記載されているユーザー名にのみsuできます。ただし、OEL6ではpam_stack.soは非推奨になりました。以下のように設定してみましたが、期待どおりに動作しません。
/etc/pam.d/su
auth sufficient pam_rootok.so
auth include system-auth
auth include group2-members
auth include group1-members
auth required pam_deny.so
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
/etc/pam.d/group2-members
auth required pam_wheel.so use_uid group=group2
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
上記は機能していません、すべてのユーザーは誰にでも訴えることができます。誰かが私が間違っていることを教えてもらえますか?
これがお役に立てば幸いです。
# cat /etc/pam.d/su
auth sufficient pam_rootok.so
auth [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1
auth [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access
auth [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2
auth requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
# cat /etc/security/su-group1-access |egrep -v "^#|^$"
Oracle
user
# cat /etc/security/su-group2-access |egrep -v "^#|^$"
root
元の回答:以下を使用
# cat /etc/pam.d/su |egrep -v "^#|^$"
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup group1
auth required pam_wheel.so use_uid group=group1
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access
auth [success=2 default=ignore] pam_succeed_if.so use_uid user notingroup group2
auth required pam_wheel.so use_uid group=group2
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
# cat /etc/security/su-group1-access |egrep -v "^#|^$"
Oracle
user
# cat /etc/security/su-group2-access |egrep -v "^#|^$"
root