ubuntu限制用户su[pam]

修改PAM策略/etc/pam.d/su

#
# The PAM configuration file for the Shadow `su' service
#
 
# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
 
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so
 
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust
 
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu
 
 
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so
 
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale
 
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session    optional   pam_mail.so nopen
 
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so
 
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

# auth       required   pam_wheel.so deny group=nosu
>>>
auth       required   pam_wheel.so deny group=nosu

取消注释： 即不允许nosu组的用户su

组名可以自定义

auth       required   pam_wheel.so group=sudo

只允许sudo组的用户执行su

pam_whell.so库说明

pam_wheel.so [调试] [拒绝] [组= * +26+ *] [仅 root 用户] [信任] [use_uid]

DESCRIPTION

pam_wheel PAM 模块用于强制执行所谓的* wheel 组。默认情况下，如果申请人用户是 wheel *组的成员，则允许访问目标用户。如果不存在具有该名称的组，则模块正在使用具有组 ID * 0 *的组。

OPTIONS

• debug
  打印调试信息。

• deny
  反转 auth 操作的含义：如果用户试图获得 UID 0 访问权限并且是 wheel 组(或group选项的组)的成员，则拒绝访问。相反，如果用户不在组中，则返回 PAM_IGNORE(除非也指定了trust，在这种情况下，我们将返回 PAM_SUCCESS)。

• group=name
  不用检查 wheel 或 GID 0 组，而是使用name组执行身份验证。

• root_only
  仅当目标用户 UID 为 0 时，才进行 Wheel 成员资格检查。

• trust
  如果用户是转轮组的成员，则 pam_wheel 模块将返回 PAM_SUCCESS 而不是 PAM_IGNORE(因此，只要稍加发挥，堆叠模块，转轮成员就可能会扎根，而不会提示 Importing 密码)。

• use_uid
  轮成员资格的检查将针对当前 uid 而不是原始 uid(例如，在使用 su 从一个帐户跳转到另一个帐户时很有用)。

提供的模块类型

提供了* auth 和 account *模块类型。

返回值

PAM_AUTH_ERR
    Authentication failure.
PAM_BUF_ERR