NIS do SU only if GID=0

[koma]

Hello,

I've successfully created a NIS domain but I've a problem with the users in the wheel group. They become root only if the wheel group is their base group:

ypcat master.passwd

[root@web9 ~]# ypcat master.passwd
ALPHA:4z0djLKIWW0Go:1002:0::0:0:ALPHA:/home/ALPHA:/usr/local/bin/bash
BETA:EEcbYm70e5gT2:1004:1004::0:0:BETA:/home/BETA:/usr/local/bin/bash

Information about the user (id):

[root@web9 ~]# id BETA
uid=1004(BETA) gid=1004(BETA) groups=1004(BETA),5(operator),0(wheel)
[root@web9 ~]# id ALPHA
uid=1002(ALPHA) gid=0(wheel) groups=0(wheel)

Trying to become root

[root@web9 ~]# su - BETA
[BETA@web9 ~]$ su -
su: Sorry
[BETA@web9 ~]$

[root@web9 ~]# su - ALPHA
[ALPHA@web9 ~]$ su -
Password:
web9#

Any idea?

 

[pboehmer]

I will assume that the ALPHA user was added with wheel as the default group and BETA was added under a different default group. I believe the fix is just to add BETA to the ypserver's /etc/group file and then on the client side add (if you don't already) append +:*:0: to each of the NIS client machines. Alternatively (or for finer grain control), you can just add BETA to the wheel group on each of the NIS client machine's /etc/group file that need wheel access.

 

[koma]

Hi pboehmer, thank you for your reply.

I will assume that the ALPHA user was added with wheel as the default group and BETA was added under a different default group.

Exactly.

I believe the fix is just to add BETA to the ypserver's /etc/group file and then on the client side add (if you don't already) append +:*:0: to each of the NIS client machines.

I don't want to set wheel as the primary group on any user but root.

Alternatively (or for finer grain control), you can just add BETA to the wheel group on each of the NIS client machine's /etc/group file that need wheel access.

That's not the best idea, because I don't want to add the user to the wheel group manually on all my servers (there are 150 servers and counting...).

The idea is to add the user to the wheel group as secondary group. So I can remove the "wheel power" directly from the master server without removing entirely the user.

 

[pboehmer]

I don't want to set wheel as the primary group on any user but root.

Doesn't that contradict this:

[root@web9 ~]# id ALPHA
uid=1002(ALPHA) gid=0(wheel) groups=0(wheel)

Or is ALPHA just a test user to show the issue? It appears that you have BETA setup correctly (I assume this is from one of the ypclients). Can you post the NIS/YP relevant entry of the ypclient's /etc/group?

I mentioned adding the user to individual servers /etc/group if you had a scenario where you only wanted BETA to have wheel access to specific servers as opposed to all 150 servers. After re-reading your post, I have a better understanding of what your problem is.

 

[pboehmer]

Ok, after some testing on our systems, we found the same problem you are having. Our setup is a bit smaller and we only have a handful of admin staff, so we never ran into this issue. After a bit of testing, I found something interesting.

I think the root cause is that su uses pamd for authentication and if you look at /etc/pam.d/su you will notice the following entries:

auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe
auth            include         system

When I added the following line before the auth requisite line:

auth            sufficient      pam_unix.so             no_warn group=wheel root_only fail_safe

My NIS user can now su, but with a major issue. Now every user can su provided that the user has the root password (which still doesn't help you). That being said, the above line was just to test an idea.

My theory: In order for pam to authenticate using NIS, and thus su to work, you'll need to add the pam_unix.so module. What I don't know right now is how to add that module so only wheel group users are able to su. In then end, it looks like you'll either be editing the /etc/pam.d/su or editing each /etc/group. I suspect the reason the pam_unix.so module was omitted was for security reasons.

I'll keep testing to see if I can come up with something more concrete.

 

[pboehmer]

Disregard the previous post...

A coworker of mine found the _working_ fix. In your ypclient's /etc/group make sure that the

+:*::

is the first entry in the file and not the last. After making this change, we were successfully able to su NIS wheel group users and only those users.

 

[koma]

Disregard the previous post...

A coworker of mine found the _working_ fix. In your ypclient's /etc/group make sure that the

+:*::

is the first entry in the file and not the last. After making this change, we were successfully able to su NIS wheel group users and only those users.

Thank you!
Excuse me if I could not explain well how I wanted.

You have found the solution, I knew it was not a complex thing, now all that remains is to correct the documentation on the handbook.
http://www.freebsd.org/doc/it/books/handbook/network-nis.html !

How can I set the [SOLVED] tag on the topic's title?

 

[DutchDaemon]

How can I set the [SOLVED] tag on the topic's title?

Edit the first post, 'Go Advanced', pull-down menu to the left of the title.