I just tried the non-login-shell with those settings, and it didn't offer
any change from the previous response.
(I primarily work with CentOS6.6 at work but am testing Fedora at home and
would like to implement similar security settings)
[ user@localhost ~]$ su - <<EOF
password
echo ""
id
EOF
standard in must be a tty
I'm going to look into PAM to check for related files, please let me know
if you have more advice on this issue as technically this allows for
scripted access to root (good for initial setup of production environments
provided you lock it down afterwords, however it could also be exploited by
intelligent malware).
Thanks, and I look forward to hearing from you.
On Wed, Aug 19, 2015 at 9:55 AM, Scott Mattan <s-mattan(a)niscom.co.jp> wrote:
Sorry about the other post, this one may not come in correctly
either...
In anycase, I will explain this after the main issue...
I have the following differences in my /etc/pam.d/su file:
Fedora22:
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
CentOS6.6:
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if
this is the cause I become unable to open sockets.
[ root@localhost ~ ]# su user
could not open session
So while this may be the issue, I have to believe that it is not the sole
issue and there must be another cause.
I hadn't tested the su-l file for differences yet, but it is primarily for
login-shells... which admittedly my CenOS6.6 connection is through a
login-shell as it is through ssh, whereas the Fedora22 is through a
non-login-shell from the GUI.
Luckily this CentOS6.6 system is also has a GUI so I will try to replicate
from a non-login-shell and get back to you with more information.
Now for my lack of understanding of the mailing list.
On the computer, I don't understand how to reply without having to copy
information from multiple sources. The entire list comes in a single post
(very difficult to read) and replying to one means replying to all.
Additionally, operating on my phone doesn't even permit me to view the
posts, and I must manually go to the archives to read any of the new
additions.
Is there a better way of viewing this list without having to copy paste
titles and contents?