On Fri, Sep 17, 1999 at 11:57:59AM -0400, Ben Collins wrote:
> Package: libpam-modules
> Version: 0.69-6
> Severity: normal
>
> On Fri, Sep 17, 1999 at 09:12:27PM +0200, Andreas Kurth wrote:
> > Ben Collins wrote:
> > > Or you can add this to your /etc/pam.d/su file after the rootok module:
> > >
> > > #######
> > > auth sufficient pam_listfile.so onerr=fail sense=allow \
> > > file=/etc/security/su.allow item=user
> > > #######
> > >
> > > The create the file /etc/security/su.allow (preferably mode 600) with a
> > > list of each user you want to grant passwordless access to su (one on each
> > > line).
> >
> > That's what I had already tried. It doesn't work. No error, no
> > warning, just the same behaviour as before.
> >
> > Thank you nevertheless.
>
> Odd, it always tries to match user to "root" (it's using the geteuid()
> instead of
> getuid()). It is supposed to work, but it seems that the module is broken.
>
> I'm filing this as a bug so I don't forget to fix it in this next upload.
> Just hang
> tight for a couple days, and this will work. :)
>
Ok correction on this. In the /etc/security/su.allow just put "root" (who they
are
allowed to su to). and the add this line:
#######
auth sufficient pam_listfile.so onerr=fail sense=allow \
file=/etc/security/su.allow item=user apply=you
#######
This applies the rul for "you" to be able to su to "root" without a password.
(make sure you use the "sufficient" class, or it will still try to get a
password
and that this comes before the pam_unix.so auth module). You could also
set [EMAIL PROTECTED], and then any member of the sugrp group would have access
to this rule.
Ben
