Re: su without password using libpam

[Andreas Kurth <akurth@wam56.rhein-neckar.de>]

Ben Collins wrote:
> Ok correction on this. In the /etc/security/su.allow just put "root" (who they are
> allowed to su to). and the add this line:
> 
> #######
> auth       sufficient pam_listfile.so onerr=fail sense=allow \
> 	file=/etc/security/su.allow item=user apply=you
> #######
> 
> This applies the rul for "you" to be able to su to "root" without a password.

"apply=you" only makes sense in conjunction with the tty, rhost and
shell items, as stated in the docs. The above way, any user gets
passwordless root access, not only user "you".

The only way to manage this, is to set up a group wheel, use the
"auth       required   pam_wheel.so" line, add user "you" to group
wheel and do it the above way leaving out the "apply=you" option.


-- 
Andreas Kurth    Mannheim, Germany