Red Hat Knowledgebase

The following should be noted before proceeding:

• This should only be done on a test server. Editing of PAM files can lock out the server.
• This is not considered a secure setup this should be used for examples only.

Set up two users: testuser1 and testuser2. Set up two groups: suroot and redgroup as follows:

#useradd testuser1
#useradd testuser2
#groupadd suroot
#groupadd redgroup

Add these two users to their respective groups:

#usermod -G suroot testuser1
#usermod -G redgroup testuser2

Backup the file /etc/pam.d/su as follows:

#cp /etc/pam.d/su /etc/pam.d/su.bak

Add the following directly under the first pam_stack.so occurrence in the /etc/pam.d/su file:

auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
auth       sufficient   /lib/security/$ISA/pam_stack.so service=suroot-members
auth       sufficient   /lib/security/$ISA/pam_stack.so service=redgroup-members
auth       required     /lib/security/$ISA/pam_deny.so

Create a /etc/pam.d/suroot-members file and in the file, add the following:

auth       required     /lib/security/$ISA/pam_wheel.so use_uid group=suroot
auth       required     /lib/security/$ISA/pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/sumembers-access

Create a /etc/pam.d/redgroup-members file and in the file, add the following:

auth       required     /lib/security/$ISA/pam_wheel.so use_uid group=redgroup
auth       required     /lib/security/$ISA/pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/redgroup-access

Create an /etc/security/sumembers-access file. In this file, add any users, for example, testuser1, on a new line. Users added to this file will be the only users within the suroot group allowed to su to the following users:

root
backupuser
operator

Create an /etc/security/redgroup-access. Users added to this file will be the only users within the redgroup group allowed to su to the following users:

dbuser
dbbackupuser