Differences between revisions 1 and 7 (spanning 6 versions)
Revision 1 as of 2012-12-07 09:16:33
Size: 553
Editor: ?Olivier BATARD
Comment:
Revision 7 as of 2014-08-17 14:35:11
Size: 909
Editor: MichaelSmall
Comment: usermod -G alone, without -a, will remove the user from other groups.
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Pam Wheel or how to su sithout a password = = Pam Wheel =
Line 3: Line 3:
== The need == <<TableOfContents()>>
Line 5: Line 5:
Well, you want to have a secure root password with many characters and specials symbols. Obviously, that will be painful to write it each time you su. You have two options : == Introduction ==
Line 7: Line 7:
* Use a password manager like Keepass
* Use pam with wheel option
Set up the '''pam_wheel''' module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.
Line 10: Line 9:
== Security Consideration == The root group will be checked if the wheel group does not exist, but it is recommended to leave that group to root alone.
Line 12: Line 11:
That seems to be quite stupid to say but having the ability to do su without a password is equivalent to have root access from your accounts, so take care of having a strong password for your user account. === Restrict the execution of su ===

With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':

{{{

#auth required pam_wheel.so

}}}

That's all for the file and no user can execute su anymore. This is the most secure configuration.

=== Allow a user to execute su ===

After having restricted the execution of su, create the group '''wheel''' with root privileges:

{{{

# groupadd wheel

}}}

And then add user_name to that group:

{{{

# usermod -aG wheel user_name

}}}

From now user_name can execute su.

Pam Wheel

Introduction

Set up the pam_wheel module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.

The root group will be checked if the wheel group does not exist, but it is recommended to leave that group to root alone.

Restrict the execution of su

With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':

#auth       required pam_wheel.so

That's all for the file and no user can execute su anymore. This is the most secure configuration.

Allow a user to execute su

After having restricted the execution of su, create the group wheel with root privileges:

# groupadd wheel

And then add user_name to that group:

# usermod -aG wheel user_name

From now user_name can execute su.