Restricting “su” to target groups
In many situations we would like to give users access to a particular command without exposing too much access due to security concerns.
One particular example will be the docker command. After a docker daemon has been installed, one can invoke the command either as a root or as a member in the docker group.
The problem with second approach is that whenever you have a new user, you will have to add it into the docker group. Wouldn't it be better if the primary group for the user simply works?
We can make use of the PAM installed on Linux to achieve this.
In the code block below, it makes use of
pam_succeed_if.so module to check if the user is
user_name. If it is true, it will simply ignore the result and proceed to the next line. If it is false, which means we are not attempting to authenticate as
user_name, it will simply skip the next two lines (this is configured by setting
default=2, adjust this number according to the number of lines that you want to skip). In the two lines that follow, it will check if the user that invoked the
su command is part of the
group_name that you have defined.
auth [success=ignore default=2] pam_succeed_if.so user = <user_name> auth sufficient pam_succeed_if.so use_uid user ingroup <group_name> auth sufficient pam_succeed_if.so use_uid user ingroup <group_name>
Putting everything together, you just have to add the following into
/etc/pam.d/su. This will check if the user, who is invoking
su - docker, belongs to the group
auth sufficient pam_rootok.so # Add the next three lines below this line auth [success=ignore default=2] pam_succeed_if.so user = docker auth sufficient pam_succeed_if.so use_uid user ingroup staff auth sufficient pam_succeed_if.so use_uid user ingroup system