admin管理员组文章数量:1633029
在一台server上做sudo 操作,出现错误PAM account management error: Permission denied
test1@home:~> sudo -l
sudo: PAM account management error: Permission denied
检查sudo 的pam 配置文件:
其引用common-account配置文件
test1:~ # cat /etc/pam.d/sudo
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session optional pam_keyinit.so revoke
session include common-session
# session optional pam_xauth.so
test1:~ #
其中common-account配置使用的是pam_unix2.so模块
test1:~ # cat /etc/pam.d/common-account
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the account modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account required pam_unix2.so
经发现此模块对于没有密码或者lock住的用户id无法通过认证
test1:~ # grep hipat1 /etc/shadow
hipat1:!:19124:0:99999:7:::
改用pam_unix.so, 此模块支持lock用户和空密码
test1:~ # cat /etc/pam.d/common-account
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the account modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account required pam_unix.so
更改完成后,重新 sudo 命令, 可以正常使用
test1 :~ # su - hipat1
hipat1@test1:~> sudo -l
Matching Defaults entries for hipat1 on test1:
always_set_home, env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
User hipat1 may run the following commands on test1:
(ALL) NOPASSWD: ALL, !/usr/bin/su, !/usr/bin/su root, !/bin/su, !/bin/su root, /usr/bin/su -, /bin/su -, /usr/bin/su - root, /bin/su - root, /bin/ash, /usr/bin/ash, /bin/bash,
/usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2, /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh,
/usr/bin/csh, /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93, /bin/pfcsh, /usr/bin/pfcsh, /bin/pfksh, /usr/bin/pfksh, /bin/pfsh, /usr/bin/pfsh, /bin/psh,
/usr/bin/psh, /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh, /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh, /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh, /usr/shell,
/usr/bin/shell, /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, /usr/opt/freeware/bin/tclsh, /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4,
/usr/opt/freeware/bin/tclsh8.4, /bin/tcsh, /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh, /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish, /bin/wish8.4,
/usr/bin/wish8.4, /opt/freeware/bin/wish8.4, /usr/opt/freeware/bin/wish8.4, /bin/wishx, /usr/bin/wishx, /bin/zsh, /usr/bin/zsh, !/usr/bin/ed, !/bin/ed, !/usr/bin/bash2bug,
!/usr/bin/bashbug, !/usr/bin/find * -exec *, !/usr/bin/find * -ok *, !/bin/find * -exec *, !/bin/find * -ok *, !/usr/bin/find * -execdir *, !/usr/bin/find * -okdir *, !/bin/find *
-execdir *, !/bin/find * -okdir *, !/usr/bin/ftp, !/bin/ftp, !/usr/bin/ex, !/bin/ex, !/usr/bin/less, !/usr/bin/more, !/bin/more, !/usr/bin/pg, !/bin/pg, !/usr/bin/vi, !/bin/vi,
!/bin/view, !/usr/bin/view, !/usr/bin/gview, !/bin/gview, !/usr/bin/eview, !/bin/eview, !/usr/bin/evim, !/bin/evim, !/usr/bin/gvim, !/bin/gvim, !/usr/bin/vimdiff, !/bin/vimdiff,
!/usr/bin/vim, !/bin/vim, !/usr/sbin/format, !/bin/vi, !/bin/tvi, !/bin/vim, !/bin/rvim, !/bin/gvim, !/bin/evim, !/bin/emacs, !/bin/ed, !/usr/bin/vi, !/usr/bin/tvi, !/usr/bin/nano,
!/usr/bin/vim, !/usr/bin/rvim, !/usr/bin/gvim, !/usr/bin/evim, !/usr/bin/emacs, !/usr/bin/ed, !/bin/view, !/usr/bin/view, !/bin/rvi, !/usr/bin/rvi
(ALL) NOPASSWD: /bin/ash, /usr/bin/ash, /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2, /bin/bsh,
/usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh, /bin/jsh, /usr/bin/jsh, /bin
本文标签: ManagementAccountpamdeniedPermission
版权声明:本文标题:PAM account management error: Permission denied 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dongtai/1729157326a1188109.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论