How to grant su access without password to one user only in wheel group (FreeBSD)?

security freebsd pam pfsense su
6,514

Solution 1

Does FreeBSD have user private groups? If not, create a group and put only that user in it. Then in /etc/pam.d/su add something like

auth            sufficient      pam_group.so            no_warn group=foo

where foo is the group name.

Solution 2

I suggest using sudo to do this. It's easy and a well tested method.

Please reference the sudo man page for more information.

Share:
6,514

Related videos on Youtube

David G
Author by

David G

Updated on September 18, 2022

Comments

  • David G
    David G almost 2 years

    I know how to enable su without a password for all wheel group users by adding the appropriate configuration line in /etc/pam.d/su.

    I do not want to enable this for all wheel users but only one particular user.

    I am using FreeBSD 8.1. How do I do this?

    UPDATE in response to comments below

    This is a pfSense box. Underlying OS is FreeBSD 8.1 but as usual for pfSense a lot of functionality is missing, notably the entire ports collection. I wish to have one privileged user (in wheel group) able to invoke su - without having to type the root password. Enabling this for all wheel users using PAM is easy. I do not know the correct PAM configuration to allow bypassing the password for one particular user. I am constrained by company policy in how much alteration I can make. This is a running, mission-critical machine and I cannot take the risk of accidentally bringing it down. I have inherited administration of this machine but radical changes to its configuration are not practicable or permissible at this present time. I have PAM; I don't have sudo. I wish I did, but I don't.

    • David G
      David G over 11 years
      This is FreeBSD. I do not have sudo. I want to do this via PAM.
    • Admin
      Admin over 11 years
      sudo is available for FreeBSD ports. Update your port tree if you do not have sudo.
    • mdpc
      mdpc over 11 years
      Please include more details of your situation. What is the user supposed to do? Why on a FreeBSD system you are unable to use/install sudo. A little sample senario perhaps of what you are specifically trying to do.
    • Admin
      Admin over 11 years
      :: Wonders if compiling sudo on a FreeBSD box and uploading it to the pfsense box would work ::
    • Philip
      Philip over 11 years
      FreeBSD packages work just fine on a pfSense box... pfSense didn't meddle with OS much, but the ports tree is not included for space reasons.
    • Philip
      Philip over 11 years
      I have to ask why you have multiple wheel users in the first place, and why one has to be able to gain root privileges without a password. This seems exceedingly odd.
  • David G
    David G over 11 years
    This is a pfSense box. It does not have sudo. It does not have ports. It does not even have portsnap. It does, however, have PAM, which is why I want to use PAM and not sudo and not ports.
  • mdpc
    mdpc over 11 years
    BTW, for reference, this information should have been included in the original message so we get to your specific problem. So you are attempting to use an open source router/firewall box to support a user for what capabilities?
  • Philip
    Philip over 11 years
    The FreeBSD 8.1 package for sudo will install on pfSense.
  • mdpc
    mdpc over 11 years
    @Chris S. -- See the first line in this question.
  • David G
    David G over 11 years
    This might work. I will experiment and report my findings. It certainly would be useful to have a pam_user module analogous to pam_group. The pfSense distro I am working with does not have pam_listfile, which might otherwise have been an option
  • mdpc
    mdpc over 11 years
    They seem to be contradictory statements really. So put only ONE user in the wheel group which is what I was getting to.
  • David G
    David G over 11 years
    OK, thanks very much Mark, this worked perfectly. I created a new group nopw and added the privileged user to it. Expanded answer below

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Effect of entries in /etc/securetty
How to configure a U2F key(such as a YubiKey) for system wide 2-Factor Authentication?
Allow paswordless user to change to another passwordless user
SSH authentication: either SSH keys or one time password
"Successful su for user by root" - suspicious entries in my /var/log/auth.log?
How do I enforce a password complexity policy?
How do you set requirements (such as minimum length) on passwords?
How can I use a passcode generator for authentication for remote logins?
Restrict ssh login from LDAP to users who have a /home directory
Can I create a local only guest account?