526互联

ubuntu限制用户su[pam]

发布时间 2023-09-15 10:57:22作者: ishmaelwanglin

修改PAM策略/etc/pam.d/su

#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu


# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session    optional   pam_mail.so nopen

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

# auth       required   pam_wheel.so deny group=nosu
>>>
auth       required   pam_wheel.so deny group=nosu

取消注释: 即不允许nosu组的用户su

组名可以自定义

auth       required   pam_wheel.so group=sudo

只允许sudo组的用户执行su

pam_whell.so库说明

pam_wheel.so [调试] [拒绝] [组= * +26+ *] [仅 root 用户] [信任] [use_uid]

DESCRIPTION

pam_wheel PAM 模块用于强制执行所谓的* wheel 组。默认情况下,如果申请人用户是 wheel *组的成员,则允许访问目标用户。如果不存在具有该名称的组,则模块正在使用具有组 ID * 0 *的组。

OPTIONS

  • debug
    打印调试信息。

  • deny
    反转 auth 操作的含义:如果用户试图获得 UID 0 访问权限并且是 wheel 组(或group选项的组)的成员,则拒绝访问。相反,如果用户不在组中,则返回 PAM_IGNORE(除非也指定了trust,在这种情况下,我们将返回 PAM_SUCCESS)。

  • group=name
    不用检查 wheel 或 GID 0 组,而是使用name组执行身份验证。

  • root_only
    仅当目标用户 UID 为 0 时,才进行 Wheel 成员资格检查。

  • trust
    如果用户是转轮组的成员,则 pam_wheel 模块将返回 PAM_SUCCESS 而不是 PAM_IGNORE(因此,只要稍加发挥,堆叠模块,转轮成员就可能会扎根,而不会提示 Importing 密码)。

  • use_uid
    轮成员资格的检查将针对当前 uid 而不是原始 uid(例如,在使用 su 从一个帐户跳转到另一个帐户时很有用)。

提供的模块类型

提供了* auth 和 account *模块类型。

返回值

PAM_AUTH_ERR
    Authentication failure.

PAM_BUF_ERR