Restricting “su” to target groups

Published by moxlotus on

In many situations we would like to give users access to a particular command without exposing too much access due to security concerns.
One particular example will be the docker command. After a docker daemon has been installed, one can invoke the command either as a root or as a member in the docker group.
The problem with second approach is that whenever you have a new user, you will have to add it into the docker group. Wouldn't it be better if the primary group for the user simply works?
We can make use of the PAM installed on Linux to achieve this.

In the code block below, it makes use of pam_succeed_if.so module to check if the user is user_name. If it is true, it will simply ignore the result and proceed to the next line. If it is false, which means we are not attempting to authenticate as user_name, it will simply skip the next two lines (this is configured by setting default=2, adjust this number according to the number of lines that you want to skip). In the two lines that follow, it will check if the user that invoked the su command is part of the group_name that you have defined.

auth            [success=ignore default=2] pam_succeed_if.so user = <user_name>
auth            sufficient      pam_succeed_if.so use_uid user ingroup <group_name>
auth            sufficient      pam_succeed_if.so use_uid user ingroup <group_name>

Putting everything together, you just have to add the following into /etc/pam.d/su. This will check if the user, who is invoking su - docker, belongs to the group staff and/or system.

auth            sufficient      pam_rootok.so # Add the next three lines below this line
auth            [success=ignore default=2] pam_succeed_if.so user = docker
auth            sufficient      pam_succeed_if.so use_uid user ingroup staff
auth            sufficient      pam_succeed_if.so use_uid user ingroup system
Share it with others
Categories: Linux