From 48299dd4965f8142a3bd7150c0af104459082cef Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 29 Dec 2008 20:03:51 +0100 Subject: [PATCH] pam: Remove all but one line from pam.d/su. The session modules seem useless, and the common files only include ldap and don't know about root, so that only gives warnings when root is trying to su. This makes it impossible for non-root users to use su, but that's a feature. --- etc/pam.d/su | 56 ---------------------------------------------------- 1 file changed, 56 deletions(-) diff --git a/etc/pam.d/su b/etc/pam.d/su index c1a84ae..ab107da 100644 --- a/etc/pam.d/su +++ b/etc/pam.d/su @@ -4,59 +4,3 @@ # This allows root to su without passwords (normal operation) auth sufficient pam_rootok.so - -# Uncomment this to force users to be a member of group root -# before they can use `su'. You can also add "group=foo" -# to the end of this line if you want to use a group other -# than the default "root" (but this may have side effect of -# denying "root" user, unless she's a member of "foo" or explicitly -# permitted earlier by e.g. "sufficient pam_rootok.so"). -# (Replaces the `SU_WHEEL_ONLY' option from login.defs) -# auth required pam_wheel.so - -# Uncomment this if you want wheel members to be able to -# su without a password. -# auth sufficient pam_wheel.so trust - -# Uncomment this if you want members of a specific group to not -# be allowed to use su at all. -# auth required pam_wheel.so deny group=nosu - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on su usage. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - -# Defines the MAIL environment variable -# However, userdel also needs MAIL_DIR and MAIL_FILE variables -# in /etc/login.defs to make sure that removing a user -# also removes the user's mail spool file. -# See comments in /etc/login.defs -# -# "nopen" stands to avoid reporting new mail when su'ing to another user -session optional pam_mail.so nopen - -# Sets up user limits, please uncomment and read /etc/security/limits.conf -# to enable this functionality. -# (Replaces the use of /etc/limits in old login) -# session required pam_limits.so - -# The standard Unix authentication modules, used with -# NIS (man nsswitch) as well as normal /etc/passwd and -# /etc/shadow entries. -@include common-auth -@include common-account -@include common-session - - -- 2.30.2