3

I know how to enable su without a password for all wheel group users by adding the appropriate configuration line in /etc/pam.d/su.

I do not want to enable this for all wheel users but only one particular user.

I am using FreeBSD 8.1. How do I do this?

UPDATE in response to comments below

This is a pfSense box. Underlying OS is FreeBSD 8.1 but as usual for pfSense a lot of functionality is missing, notably the entire ports collection. I wish to have one privileged user (in wheel group) able to invoke su - without having to type the root password. Enabling this for all wheel users using PAM is easy. I do not know the correct PAM configuration to allow bypassing the password for one particular user. I am constrained by company policy in how much alteration I can make. This is a running, mission-critical machine and I cannot take the risk of accidentally bringing it down. I have inherited administration of this machine but radical changes to its configuration are not practicable or permissible at this present time. I have PAM; I don't have sudo. I wish I did, but I don't.

David G
  • 338
  • 3
  • 8
  • Privilege escalation is always a security breach but as you ask : Configure sudo without password for that particular user? –  Dec 19 '12 at 21:38
  • 1
    This is FreeBSD. I do not have sudo. I want to do this via PAM. – David G Dec 19 '12 at 21:44
  • sudo is available for FreeBSD ports. Update your port tree if you do not have sudo. –  Dec 19 '12 at 21:46
  • 1
    Please include more details of your situation. What is the user supposed to do? Why on a FreeBSD system you are unable to use/install sudo. A little sample senario perhaps of what you are specifically trying to do. – mdpc Dec 19 '12 at 22:24
  • :: Wonders if compiling sudo on a FreeBSD box and uploading it to the pfsense box would work :: –  Dec 19 '12 at 22:52
  • FreeBSD packages work just fine on a pfSense box... pfSense didn't meddle with OS much, but the ports tree is not included for space reasons. – Chris S Dec 20 '12 at 01:49
  • 1
    I have to ask why you have multiple wheel users in the first place, and why one has to be able to gain root privileges without a password. This seems exceedingly odd. – Chris S Dec 20 '12 at 01:53

4 Answers4

3

I suggest using sudo to do this. It's easy and a well tested method.

Please reference the sudo man page for more information.

mdpc
  • 11,856
  • 28
  • 53
  • 67
  • This is a pfSense box. It does not have sudo. It does not have ports. It does not even have portsnap. It does, however, have PAM, which is why I want to use PAM and not sudo and not ports. – David G Dec 19 '12 at 22:15
  • 1
    BTW, for reference, this information should have been included in the original message so we get to your specific problem. So you are attempting to use an open source router/firewall box to support a user for what capabilities? – mdpc Dec 19 '12 at 22:22
  • 1
    The [FreeBSD 8.1 package for `sudo`](ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/security/sudo-1.7.3.tbz) will install on pfSense. – Chris S Dec 20 '12 at 01:48
1

Does FreeBSD have user private groups? If not, create a group and put only that user in it. Then in /etc/pam.d/su add something like

auth            sufficient      pam_group.so            no_warn group=foo

where foo is the group name.

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • This might work. I will experiment and report my findings. It certainly would be useful to have a pam_user module analogous to pam_group. The pfSense distro I am working with does not have pam_listfile, which might otherwise have been an option – David G Dec 20 '12 at 03:51
  • OK, thanks very much Mark, this worked perfectly. I created a new group `nopw` and added the privileged user to it. Expanded answer below – David G Dec 20 '12 at 14:27
0

What is wrong with just putting just the one user in the wheel group?

mdpc
  • 11,856
  • 28
  • 53
  • 67
0

Mark Wagner came up with a solution, for which many thanks. I created a group nopw and added the privileged user to it. Then I made a 'sufficient' no_warn rule for that group only using the pam_group.so module. Now the auth section of my /etc/pam.d/su file looks like:

auth   sufficient   pam_rootok.so   no_warn
auth   sufficient   pam_self.so     no_warn
auth   sufficient   pam_group.so    no_warn group=nopw root_only fail_safe
auth   requisite    pam_group.so    no_warn group=wheel root_only fail_safe
auth   include      system
David G
  • 338
  • 3
  • 8