[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: su without password using libpam

On Sat, Sep 18, 1999 at 09:44:58AM +0200, Andreas Kurth wrote:
> Ben Collins wrote:
> > Ok correction on this. In the /etc/security/su.allow just put "root" (who they are
> > allowed to su to). and the add this line:
> > 
> > #######
> > auth       sufficient pam_listfile.so onerr=fail sense=allow \
> > 	file=/etc/security/su.allow item=user apply=you
> > #######
> > 
> > This applies the rul for "you" to be able to su to "root" without a password.
> 
> "apply=you" only makes sense in conjunction with the tty, rhost and
> shell items, as stated in the docs. The above way, any user gets
> passwordless root access, not only user "you".
> 
> The only way to manage this, is to set up a group wheel, use the
> "auth       required   pam_wheel.so" line, add user "you" to group
> wheel and do it the above way leaving out the "apply=you" option.

It shouldn't according to the docs (yes I read that particular caveat, but
the logic is still there for it to work). For passwordless access, you could
make the pam_wheel.so module "sufficient" which means that belonging to the
group "root" gives them access to su without a password.

Ben
Reply to: