# su <User> doesn't work with pam

## musv

Hi there, 

due to the *Kit stuff I installed pam. The last years I didn't find a necessity for that package. And as a result of installing pam su doesn't work properly anymore. I'm new to pam, so all that stuff is still quite difficult to understand for me.

Reason to install pam: 

Udisks requires pam to be able to mount removable devices without a manual created udev rule.

Users:

FullUser:

```
uid=1000(FullUser) gid=100(users) 

Groups=100(users),5(tty),10(wheel),11(floppy),14(uucp),18(audio),19(cdrom),27(video),80(cdrw),85(usb),

250(portage),16(cron),35(games),1003(plugdev),1005(scanner),1011(wireshark)
```

RestrictedUser:

```
uid=1001(RestrictedUser) gid=100(users) 

Groups=100(users),5(tty),11(floppy),18(audio),19(cdrom),27(video),80(cdrw),85(usb),35(games),1003(plugdev)
```

Behavior before (correct):

FullUser:

su root -> works

su RestrictedUser -> works 

RestictedUser:

su root -> permission denied

su FullUser -> works

Current behaviour with pam (incorrect)

FullUser:

su root -> works

su RestrictedUser -> works 

su root -> permission denied

su FullUser -> permission denied

```
Jun 30 17:50:25 localhost su[7686]: pam_unix(su:auth): authentication failure; logname= uid=1001 euid=0 tty=/dev/pts/5 ruser=RestrictedUser rhost=  user=FullUser
```

```

#%PAM-1.0 

 auth       sufficient   pam_rootok.so 

 auth       required     pam_wheel.so use_uid 

 auth       include              system-auth 

 account    include              system-auth 

 password   include              system-auth 

 session    include              system-auth 

 session    required     pam_env.so 

 session    optional             pam_xauth.so
```

RestrictedUser shouldn't be able to become root. That's why the user isn't member of wheel. How do I get RestrictedUser able to become any other user except root?

----------

## Sadako

tbh, having pam deny your non-wheel user from using su at all is exactly how I would expect things to work, the point of the wheel group is not to prevent users from su-ing to root specifically, but to stop them from using su altogether.

The fact that without pam a non-wheel user can still su to a non-root account looks like a bug to me...

If a non-wheel user can su to a non-root member of the wheel group, then they can su to root from that account, in your case for example if if "RestrictedUser" runs `su FullUser`, then as FullUser thay can successfully run `su root`, so denying them the ability to run 'su root' directly provides no real security, meaning I don't think the method you were using all along ever provided what you thought or intended.

Although not personally a fan, if you really need this kind of access control then you should probably look into using sudo in place of su, although bear in mind if "RestrictedUser" can run a shell as "FullUser" via sudo, they could still su to root unless you remove FullUser from the wheel group also.

----------

## musv

 *Sadako wrote:*   

> The fact that without pam a non-wheel user can still su to a non-root account looks like a bug to me...

 

That's exactly what I wanted. Because with:

```
ssh FullUser@localhost
```

you can do something similar. 

 *Sadako wrote:*   

> If a non-wheel user can su to a non-root member of the wheel group, then they can su to root from that account,

 

Exactly. This seems to me more secure than to give the restricted user directly accessibility to "su root". At least in this way 1 account more has to be accessed. 

 *Sadako wrote:*   

> Although not personally a fan, if you really need this kind of access control then you should probably look into using sudo in place of su, although bear in mind if "RestrictedUser" can run a shell as "FullUser" via sudo, they could still su to root unless you remove FullUser from the wheel group also.

 

I'm not a fan of sudo too. 

Ok, I'll study some pam tutorials to find a solution. If it doesn't seem to be possible my RestrictedUser will become a member of wheel.

Thanks so long.

----------

