Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 May 2017 15:48:55 +0200
From:      "Rocky Hotas" <rockyhotas@post.com>
To:        "FreeBSD Questions" <freebsd-questions@freebsd.org>
Subject:   Allow multiple groups to do su(1) with PAM
Message-ID:  <trinity-19a91118-6220-4b8b-a7c5-0720fd2b33a8-1494337735437@3capp-mailcom-lxa15>

next in thread | raw e-mail | index | archive | help
Hi!
A default FreeBSD 11.0 /etc/pam.d/su file contains the following lines:

auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            include         system

Also LDAP users belonging to another group, say `remotewheel', should be allowed to make `su root'.
pam_group(8) seems not to allow multiple choices for the option `group', so a line for each allowed group must be included. Also, the lines should be `sufficient', because the success of one line automatically must exclude the other. I made these modifications:

auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            sufficient      pam_group.so            no_warn group=remotewheel root_only fail_safe ruser
auth            sufficient      pam_group.so            no_warn group=wheel root_only fail_safe ruser
auth            include         system

but with this configuration, the root password of the local system is never asked. It should, instead.
After having verified that the user who makes `su root' belongs to `remotewheel' or `wheel', the system should ask the root password. How is it possible to configure PAM this way?
Thank you anyway,

Rocky



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-19a91118-6220-4b8b-a7c5-0720fd2b33a8-1494337735437>