From owner-freebsd-questions@freebsd.org Tue May 9 13:49:03 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A6B8D65FD0 for ; Tue, 9 May 2017 13:49:03 +0000 (UTC) (envelope-from rockyhotas@post.com) Received: from mout.gmx.com (mout.gmx.com [74.208.4.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mail.gmx.com", Issuer "thawte SSL CA - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EE01E1500 for ; Tue, 9 May 2017 13:49:02 +0000 (UTC) (envelope-from rockyhotas@post.com) Received: from [95.250.64.53] by 3capp-mailcom-lxa15.server.lan (via HTTP); Tue, 9 May 2017 15:48:55 +0200 MIME-Version: 1.0 Message-ID: From: "Rocky Hotas" To: "FreeBSD Questions" Subject: Allow multiple groups to do su(1) with PAM Content-Type: text/plain; charset=UTF-8 Date: Tue, 9 May 2017 15:48:55 +0200 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K1:FNcME93W6gLBxTFFgYRUOI1wE2R9sjPm7Sx8e3oxKgr FFA5BLE3op4rl7SjLhSMd1qnJWRRNP4hOURhzUy8fwPykJwppi DOQeFqiCqjJSoR01zFhC4R4fh0oyXSxE2AnIRvSObMwQRYby17 CiJDb4y7yTBM86kSEN4+JWR6noJJWDcFC8Uh043LNYDjqR4ONM M3/gBXC8Q1iov5cNhwdhEsyrkjXS171fCjW5CiGWLNSh08ecDV tj3sEQj7Fp5c+awJDEP8V/5I7dzBxoaMtgBuwxhNI63D4jKZcy qxPeFWVUouSooyfYJtbxGQ/jwZd X-UI-Out-Filterresults: notjunk:1;V01:K0:PMBlZFXuz/A=:ktA+qu7PHHZUxQ4ig2iHj9 RyxzuZ2QUCWOycjAdHi6tvucxw+yN/xf8bINnuduK3SGMfRRmggwxmXnX5ZAPhQpq2luNf8ia y/pmLe/Wg3vsyTXOfAzkXJB8rNeLSZfLcDSLkr1/RdebzOctr51RT1yisDO+sUiTsZv7rtzHp WPm7BK3zkiXalIXmEKfgpZuAuylRkumVSWh+Lk0ivCCZD0/0VJi4qx1yzCnJzUCsjxY/kfGPi iGYrLRhfyKlLfD90YTKCoEtdhT6gLmSsxZTQQonUV3T9Rz52BoVp/hZrSLel2hAVVr0N3cv5I Gxq+lsPPmjNY5HTIuHHbV/Gd4EPvLmxrolK+sNeP1Inq/bVD1nXu+Fnl/ucwfhcO3MbrbfSdY l4Bi1ty6nAmxP8WUI7E1anQ209Xmm/7iaMvDliWuqZxlViBMVgNcXnGIcoDbq/JoUOa+kwMkL x7azDicFxA== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2017 13:49:03 -0000 Hi! A default FreeBSD 11.0 /etc/pam.d/su file contains the following lines: auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system Also LDAP users belonging to another group, say `remotewheel', should be allowed to make `su root'. pam_group(8) seems not to allow multiple choices for the option `group', so a line for each allowed group must be included. Also, the lines should be `sufficient', because the success of one line automatically must exclude the other. I made these modifications: auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth sufficient pam_group.so no_warn group=remotewheel root_only fail_safe ruser auth sufficient pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system but with this configuration, the root password of the local system is never asked. It should, instead. After having verified that the user who makes `su root' belongs to `remotewheel' or `wheel', the system should ask the root password. How is it possible to configure PAM this way? Thank you anyway, Rocky