Allow multiple users to "su" to multiple other users without password

Question

This is similar to this question:

Allow user1 to "su - user2" without password

However, the solution only work for multiple users accessing "su"ing ONE user.

#works fine :) 2 or more users accessing 1 user
auth       [success=ignore default=1] pam_succeed_if.so user = user1
auth       sufficient   pam_succeed_if.so use_uid user = user2
auth       sufficient   pam_succeed_if.so use_uid user = user3

If I try to go n-users to n-users:

#dont work :(
auth       [success=ignore default=1] pam_succeed_if.so user = user1
auth       sufficient   pam_succeed_if.so use_uid user = user2
auth       sufficient   pam_succeed_if.so use_uid user = user3

auth       [success=ignore default=1] pam_succeed_if.so user = user4
auth       sufficient   pam_succeed_if.so use_uid user = user2
auth       sufficient   pam_succeed_if.so use_uid user = user3

I get PAM errors or get asked for input the password.

I'm working in a environment that sadly I do not have access to changing 'sudoers' file. However I do have root user access. So I'm trying to workaround with passwordless "su". — rafaelxy, Mar 17 '16 at 14:04

score 1 · Answer 1 · answered Mar 17 '16 at 16:24

1

As I understand it, the code [success=ignore default=1] means that if the module returns anything other than success, skip 1 module. Perhaps you need to skip 2 to get to the next pam_succeed_if ?

answered Mar 17 '16 at 16:24

meuh

49,672
2
52
114

I tried using [success=ignore default=2] but didn't work. I get the message "could not set PAM credentials" everytime for the first auth declaration. The second always works, seems like it is overwriting the other one. – rafaelxy Mar 17 '16 at 16:39

score 1 · Answer 2 · answered Jul 29 '18 at 18:11

1

You need to change the auth order, like this:

auth       [success=1 default=ignore] pam_succeed_if.so user = user1
auth       [success=ignore default=1] pam_succeed_if.so user = user4
auth       sufficient   pam_succeed_if.so use_uid user in user2:user3

answered Jul 29 '18 at 18:11

chliny

11
2

2

Welcome on the Unix SE! Help in pam things is always very useful. However, writing just code/script/config snippets reduces the mean quality of the site. Please explain, what did you change and why. – peterh Jul 29 '18 at 18:35
this solved it for me, allowing su without password into user1 and user4 – simernes Oct 08 '18 at 06:42

score 0 · Answer 3 · answered Dec 16 '19 at 18:43

I am accomplishing it using pam_exec.so instead of pam_succeedif.so.

In /etc/pam.d/su immediately after pam_rootok.so:

auth  sufficient             pam_exec.so quiet /etc/pam.d/check_user.sh

In /etc/pam.d/check_user.sh:

#!/bin/bash
[[ -z $PAM_RUSER ]] && PAM_RUSER=$PAM_USER # under some circumstances pam_exec.so does not pass PAM_RUSER to the script
[[ "$PAM_TYPE" == "auth" ]] || exit 1
case "$PAM_RUSER" in
  user1)        USERS="user1 user2" ; ;;
  user3)        USERS="user3 user4" ; ;;
  *)            exit 1 ; ;;
esac
[[ "$USERS" =~ "$PAM_USER" ]]

Allow multiple users to "su" to multiple other users without password

3 Answers3