https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015910#M129502 If I enable the login time an user, Can I make su to this user from other user? If I can, how I configure it?<BR /><BR />Thanks Fri, 04 Jul 2003 17:16:29 GMT Marcel Garcia Will 2003-07-04T17:16:29Z https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015910#M129502 If I enable the login time an user, Can I make su to this user from other user? If I can, how I configure it?<BR /><BR />Thanks Fri, 04 Jul 2003 17:16:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015910#M129502 Marcel Garcia Will 2003-07-04T17:16:29Z https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015911#M129503 The answer to your question is yes.<BR /><BR />su - username will give you the user along with the environment. Take out the dash and you only get priviledges.<BR /><BR />Trusted System is done either by running Bastille Security Checker or by Going into sam Security(obvious from there) as root user.<BR /><BR />The only configuration after that is to make the audit logs manageable. Too much logging and you just fill up filesystems.<BR /><BR />SEP Fri, 04 Jul 2003 18:49:31 GMT https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015911#M129503 Steven E. Protter 2003-07-04T18:49:31Z https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015912#M129504 thanks SEP, but it cannot resolve my problems.<BR />I??ve added a login time policy to an user.<BR />If I want to make su - [user] from other user besides root, the su - [user] fails. su - [user] obey login time policy, like telnet?<BR /><BR />in time, I need to make su - [user]. Fri, 04 Jul 2003 19:05:57 GMT https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015912#M129504 Marcel Garcia Will 2003-07-04T19:05:57Z https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015913#M129505 Greetings,<BR /><BR />I do not fully understand your problem.<BR /><BR />Here is what I understand.<BR /><BR />You limit logins based on time.<BR /><BR />Do you want to enable or disable su - logins.<BR /><BR />What is the error message you receive.<BR /><BR />Detail will help me understand.<BR /><BR />SEP Fri, 04 Jul 2003 20:06:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015913#M129505 Steven E. Protter 2003-07-04T20:06:23Z https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015914#M129506 This is not the way this should work.<BR /><BR />The security policy can only be enforced if:<BR />The user logs in <LOGIN time="" recorded="" and="" monitored=""><BR />If you su - xxxx you are changing the rules.<BR />Each su session is recorded in syslog/sulog.<BR /><BR />Why do you wish to su anyway? Why can't the user use his/her own login ? There are ways that file permissions can be manipulated with groups and acls.<BR /><BR />Within the shell there is an idle timeout facility (TMOUT and autologout depending on the shell type)<BR /><BR />I am sure that you compile or change options with using the 'sudo' product where there is a timeout.</LOGIN> Fri, 04 Jul 2003 23:04:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015914#M129506 Michael Tully 2003-07-04T23:04:56Z https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015915#M129507 I think Marcel wants to know whether it is possible to switch to a time-restricted account while outside of the 'allowed logon hours' of the target account.<BR /><BR />I guess not, since I assume this policy is checked at -every- logon, including su's.. hence, as a non-root user I don't think it will work. <BR /><BR />Best regards Sat, 05 Jul 2003 14:34:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/thrusted-system/m-p/3015915#M129507 Wouter Jagers 2003-07-05T14:34:45Z