HPE Community
Operating System - HP-UX
1751714 Members
5471 Online
108781 Solutions
New Discussion юеВ

disabling su ability to root

 
JOHN TURNER_2
Frequent Advisor

тАО04-15-2009 08:39 AM

тАО04-15-2009 08:39 AM

disabling su ability to root

hi

i have just recieved some findings from an audit, and i have to disable the ability to su - root from all users on the system, and the only way the users can run root commands is via sudo. I already have sudo installed and configured, but need to disable the su ability, has anyone got any hints and tips on how to do this. I have already set up the /etc/securetty file with console in it

cheers in advance

john
GUI's are for wimps!
0 Kudos
Reply
5 REPLIES 5
Patrick Wallek
Honored Contributor

тАО04-15-2009 09:02 AM

тАО04-15-2009 09:02 AM

Re: disabling su ability to root

If you are just talking about someone doing:

$ su - root

then they will not be successful if they do not know the root password. Make sure no one except administrators knows the root password.

If you are talking about someone doing:

$ sudo su - root

then you can add a line in your sudoers file to forbid this.

Set up a CMND_ALIAS like:

Cmnd_Alias NOSU=!/usr/bin/su root, !/usr/bin/su -, !/usr/bin/su - root

Then just assign the NOSU cmnd_alias to your users.
0 Kudos
Reply
UVK
Trusted Contributor

тАО04-15-2009 09:25 AM

тАО04-15-2009 09:25 AM

Re: disabling su ability to root

Check for /etc/security/user file that will should give you the answer

You can disable su for anyone by just adding su=false.

-uvk
-------------------------------------------
Like it or worked !! Click kudos !!
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО04-15-2009 10:25 AM

тАО04-15-2009 10:25 AM

Re: disabling su ability to root

> Check for /etc/security/user file that will should give you the answer

I believe that this is an AIX feature. In HP-UX, a similar file is called /etc/default/security. The man page for security gives the options but none exist to defeat the su command.

As mentioned, su will not do anything if the user does not have the password. You can also disable su completely by renaming the executable but this will likely break scripts that su to other users. Do not give out the root password.


Bill Hassell, sysadmin
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-15-2009 10:34 AM

тАО04-15-2009 10:34 AM

Re: disabling su ability to root

Shalom,

If there is root password security, su - root need not be disabled.

People will not be able to log in to root. After this, watch the logs, its a policy issue and the users trying to log onto root need to be dealt with. Its not an IT issue.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Mark Fenton
Esteemed Contributor

тАО04-15-2009 03:09 PM

тАО04-15-2009 03:09 PM

Re: disabling su ability to root

I really don't think this is possible, or particularly desireable. I would think it sufficient to restrict direct root login to the console as you have done, and controlling access to the root password.
As an additional measure, I suppose you could restrict use of su to a particular group (in etc/default/security file you would add SU_ROOT_GROUP=wheel) to prevent casual attempts at running it.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.