Date: Tue, 27 Sep 2011 16:09:18 +0200 From: Ruben de Groot <mail25@bzerk.org> To: Lev Serebryakov <lev@freebsd.org> Cc: Rene de Vries <rene@canyon.xs4all.nl>, freebsd-security@freebsd.org Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility Message-ID: <20110927140918.GA80848@ei.bzerk.org> In-Reply-To: <122856284.20110926194432@serebryakov.spb.ru> References: <679126918.20110922121706@serebryakov.spb.ru> <86d3esy554.fsf@ds4.des.no> <964986730.20110923230802@serebryakov.spb.ru> <86r5369mgb.fsf@ds4.des.no> <fdcf96078c3af70fcb7ca89a20d747d8@canyon.xs4all.nl> <122856284.20110926194432@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 26, 2011 at 07:44:32PM +0400, Lev Serebryakov typed: > Hello, Rene. > You wrote 26 ???????????????? 2011 ??., 15:07:09: > > > Why not have /etc/group be authoritive for wheel (an thus have a list > > of local superusers). > Idea is to have no local users (but root) at all :) How about creating an ldap group 'su-users' and changing /etc/pam.d/su to have the line: auth requisite pam_group.so no_warn group=su-users root_only fail_safe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110927140918.GA80848>