I just tried the non-login-shell with those settings, and it didn't offer any change from the previous response.

(I primarily work with CentOS6.6 at work but am testing Fedora at home and would like to implement similar security settings)

[ user@localhost ~]$ su - <<EOF
> password
> echo ""
> id
> EOF
standard in must be a tty

I'm going to look into PAM to check for related files, please let me know if you have more advice on this issue as technically this allows for scripted access to root (good for initial setup of production environments provided you lock it down afterwords, however it could also be exploited by intelligent malware).

Thanks, and I look forward to hearing from you.


On Wed, Aug 19, 2015 at 9:55 AM, Scott Mattan <s-mattan@niscom.co.jp> wrote:
Sorry about the other post, this one may not come in correctly either...

In anycase, I will explain this after the main issue...

I have the following differences in my /etc/pam.d/su file:

Fedora22:
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

CentOS6.6:

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include        system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

When I try to mimic the settings for Fedora 22 in CentOS6.6 to test if this is the cause I become unable to open sockets.

[ root@localhost ~ ]# su user
could not open session

So while this may be the issue, I have to believe that it is not the sole issue and there must be another cause.
I hadn't tested the su-l file for differences yet, but it is primarily for login-shells... which admittedly my CenOS6.6 connection is through a login-shell as it is through ssh, whereas the Fedora22 is through a non-login-shell from the GUI.

Luckily this CentOS6.6 system is also has a GUI so I will try to replicate from a non-login-shell and get back to you with more information.

Now for my lack of understanding of the mailing list. 

On the computer, I don't understand how to reply without having to copy information from multiple sources.  The entire list comes in a single post (very difficult to read) and replying to one means replying to all. 

Additionally, operating on my phone doesn't even permit me to view the posts, and I must manually go to the archives to read any of the new additions.

Is there a better way of viewing this list without having to copy paste titles and contents?