In some situation, you need to restrict the su access to:
– only user ‘oracle’ can switch to a particular user (e.g. switch to admin by ‘su – admin’ to maintain system), switching to other users will still fail.
– other users cannot access su.
Modifying the default PAM setting for su can accomplish the goal. Steps below to set up the restriction for su:
1. Create a new group for oracle that is allowed to run su:
# groupadd adminmembers
2. Add users (oracle) to the group:
# usermod -G adminmembers oracle
3. Create the /etc/security/su-adminmembers-access file and add ‘admin’ to it:
# cat /etc/security/su-adminmembers-access admin
Make sure /etc/security/su-adminmembers-access is only writable for ‘root’ user and not any other user.
# ls -l /etc/security/su-adminmembers-access -rw-r--r-- 1 root root 7 Dec 4 12:44 /etc/security/su-adminmembers-access
4. Add following rules to /etc/pam.d/su configuration file:
auth required pam_wheel.so use_uid group=adminmembers debug auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-adminmembers-access
With above two rules, switching users by su will be restricted to:
- Only user in group ‘adminmembers’ (e.g. in this case, oracle) can switch to admin by ‘su – admin’ with valid passwd
- Users in group ‘adminmembers’ can only switch to ‘admin’ by ‘su – admin’, switching to other users still fails
- Users NOT in group ‘adminmembers’ cannot use ‘su’ to switch users
- User ‘root’ can still switch to any other users
- Please remind that above setting may only be considered if you need such a strict su policy. In general, using sudo is recommended to achieve more adaptive switching policies.