Date: Tue, 9 May 2017 15:48:55 +0200 From: "Rocky Hotas" <rockyhotas@post.com> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Allow multiple groups to do su(1) with PAM Message-ID: <trinity-19a91118-6220-4b8b-a7c5-0720fd2b33a8-1494337735437@3capp-mailcom-lxa15>
next in thread | raw e-mail | index | archive | help
Hi! A default FreeBSD 11.0 /etc/pam.d/su file contains the following lines: auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system Also LDAP users belonging to another group, say `remotewheel', should be allowed to make `su root'. pam_group(8) seems not to allow multiple choices for the option `group', so a line for each allowed group must be included. Also, the lines should be `sufficient', because the success of one line automatically must exclude the other. I made these modifications: auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth sufficient pam_group.so no_warn group=remotewheel root_only fail_safe ruser auth sufficient pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system but with this configuration, the root password of the local system is never asked. It should, instead. After having verified that the user who makes `su root' belongs to `remotewheel' or `wheel', the system should ask the root password. How is it possible to configure PAM this way? Thank you anyway, Rocky
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-19a91118-6220-4b8b-a7c5-0720fd2b33a8-1494337735437>