I just tried the non-login-shell with those settings, and it didn't offer any change from the previous response.
(I primarily work with CentOS6.6 at work but am testing Fedora at home and would like to implement similar security settings) [ user@localhost ~]$ su - <<EOF > password > echo "" > id > EOF standard in must be a tty I'm going to look into PAM to check for related files, please let me know if you have more advice on this issue as technically this allows for scripted access to root (good for initial setup of production environments provided you lock it down afterwords, however it could also be exploited by intelligent malware). Thanks, and I look forward to hearing from you. On Wed, Aug 19, 2015 at 9:55 AM, Scott Mattan <s-mat...@niscom.co.jp> wrote: > Sorry about the other post, this one may not come in correctly either... > > In anycase, I will explain this after the main issue... > > I have the following differences in my /etc/pam.d/su file: > > Fedora22: > #%PAM-1.0 > auth sufficient pam_rootok.so > # Uncomment the following line to implicitly trust users in the "wheel" > group. > #auth sufficient pam_wheel.so trust use_uid > # Uncomment the following line to require a user to be in the "wheel" > group. > #auth required pam_wheel.so use_uid > auth substack system-auth > auth include postlogin > account sufficient pam_succeed_if.so uid = 0 use_uid quiet > account include system-auth > password include system-auth > session include system-auth > session include postlogin > session optional pam_xauth.so > > CentOS6.6: > > #%PAM-1.0 > auth sufficient pam_rootok.so > # Uncomment the following line to implicitly trust users in the "wheel" > group. > #auth sufficient pam_wheel.so trust use_uid > # Uncomment the following line to require a user to be in the "wheel" > group. > #auth required pam_wheel.so use_uid > auth include system-auth > account sufficient pam_succeed_if.so uid = 0 use_uid quiet > account include system-auth > password include system-auth > session include system-auth > session optional pam_xauth.so > > When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if > this is the cause I become unable to open sockets. > > [ root@localhost ~ ]# su user > could not open session > > So while this may be the issue, I have to believe that it is not the sole > issue and there must be another cause. > I hadn't tested the su-l file for differences yet, but it is primarily for > login-shells... which admittedly my CenOS6.6 connection is through a > login-shell as it is through ssh, whereas the Fedora22 is through a > non-login-shell from the GUI. > > Luckily this CentOS6.6 system is also has a GUI so I will try to replicate > from a non-login-shell and get back to you with more information. > > Now for my lack of understanding of the mailing list. > > On the computer, I don't understand how to reply without having to copy > information from multiple sources. The entire list comes in a single post > (very difficult to read) and replying to one means replying to all. > > Additionally, operating on my phone doesn't even permit me to view the > posts, and I must manually go to the archives to read any of the new > additions. > > Is there a better way of viewing this list without having to copy paste > titles and contents? >
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
