On 2011-06-01 20:24, Steve Langasek wrote:
> On Wed, Jun 01, 2011 at 12:43:46PM +0200, Stanisław Findeisen wrote:
>
>> It looks that pam_listfile only allows to restrict *source* user set and
>> *not* *target* user set.
>
> That's not true at all. item=user *is* the target user set. (Source user
> set would be the seldom-used item=ruser.)
>
>> Here's the debian-user discussion:
>> http://lists.debian.org/debian-user/2011/05/msg02054.html
>
>> Is there any way to do what I want?
>
> As already suggested, sudo does seem to be a better fit for what you're
> trying to achieve.
>
> pam_listfile isn't going to give you any reasonable mapping for applicant /
> target user *pairs*; you only get "this list of users are allowed access to
> this other list of users".
>
>> If I write a patch for pam_listfile, will you accept it to Debian?
>
> No. It would have to go upstream first; but I'll say that such a patch is
> unlikely to be accepted.
>
>> Where is the source code?
>
> I think that's more of a question for debian-user anyway, but:
>
> $ dpkg -S /lib/security/pam_listfile.so
> libpam-modules: /lib/security/pam_listfile.so
> $ debcheckout libpam-modules
> declared bzr repository at nosmart+http://bzr.debian.org/bzr/pkg-pam/debian/sid/
> bzr branch nosmart+http://bzr.debian.org/bzr/pkg-pam/debian/sid/ libpam-modules ...
> [...]
>
>> Or maybe that should be a new PAM module?
>
> It could be. But I'm skeptical that such a module would be of widespread
> interest.
In case anyone has free time, could you please have a look at my module,
spot bugs or issue any valuable comments? :-)
This specifies that users sf, u2 and u3 can each do passwordless su to
users root and sf2. User sf2 can do passwordless su to user u2. You can
also use "debug" (anywhere on the command line) for additional debug
information in auth.log.
pam_listfile / pam_supair
