~~NOCACHE~~
## 71.アクセス管理-pam.d-su


### /etc/pam.d/su設定
<sxh bash; gutter:True>
#変更
vi /etc/pam.d/su

</sxh>

### /etc/pam.d/su設定詳細
ハイライト行を変更する。
wheelグループのユーザのみ、suによるrootユーザへの昇格を許可する。
wheelグループのユーザーでログインし、その後でsuコマンドでwheelグループのユーザーになった場合はNG。

<sxh bash; highlight: [7]; gutter:True;>
#%PAM-1.0
auth            required        pam_env.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so root_only
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so
</sxh>
[[http://wordpress.honobono-life.info/security/suコマンドによるrootへのスイッチを制限する/|http://wordpress.honobono-life.info/security/suコマンドによるrootへのスイッチを制限する/]]

### 初期値
<sxh bash; gutter:True>
#%PAM-1.0
auth            required        pam_env.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so
</sxh>

{{tag>AWS RHEL 実践的}}