topic Re: Disable su - in Operating System - HP-UX

Disable su -

Macho_2 — Thu, 14 Apr 2005 22:53:15 GMT

How to disable user from su to other account or root and what the file control the su ?

Re: Disable su -

Naveej.K.A — Thu, 14 Apr 2005 23:01:48 GMT

Hi,

Rename the command "su" or move it to a different directory.

Regards,
Naveej

Re: Disable su -

Ranjith_5 — Thu, 14 Apr 2005 23:23:04 GMT

Hi,

See my reply in this thread. by this way you can stop users, doing su to root.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=854029

To restrict "su" command from normal users move su binary to /usr/sbin from /usr/bin.
#mv /usr/bin/su /usr/sbin/
Hope this will work still I havent tested this method.Other option is renaming the binary.

Naveej also mentioned the similar solution here.

Regards,
Syam

Re: Disable su -

Ng Oon Tian — Thu, 14 Apr 2005 23:25:52 GMT

Renaming/moving/removing the binary just means that the user (if malicious) will either (1) copy it from another system or (2) get another copy from somewhere or (3) path to it explicitly.

Do you want to lock down su to all users or only to the root user?

What you need to consider is

1) I want users to stop doing SU to root.
Easy: Look at /etc/default/security and set SU_ROOT_GROUP.

2) To disourage use of SU set a policy and then check the /var/adm/sulog file.

Else provide an idea of what is trying to be achieved and perhaps another way can be found.

Example. I am user "ONE" and I wish to su to user "TWO". Locking down su just means I have to pop up another session and log in as user "TWO".

Re: Disable su -

Suraj Singh_1 — Thu, 14 Apr 2005 23:27:27 GMT

Yes, The only possible way to disable su is wither to rename it or move it to a place which is not in the PATH.

Rgds

Re: Disable su -

Trond Haugen — Fri, 15 Apr 2005 01:13:27 GMT

Well Ng, if a user is able to get su from another system he will need to already have root privliges.
CooLmaChO if a user ca su to root he has the root passord. If you remove su he can still log in as root and "have all the fun he wants". Unless you utilize securetty but then root will only be able to login from the console.

Seems to me the solution is to protect the passwords.

Regards,
Trond

Re: Disable su -

T G Manikandan — Fri, 15 Apr 2005 01:24:08 GMT

you can use sudo tool to restrict the usage of the su command.

Re: Disable su -

Biswajit Tripathy — Fri, 15 Apr 2005 01:34:41 GMT

CooLmaChO,
As Trond said, if user can user su root, (s)he already
has the passwd. What you need is a strong password
policy.

It's not really a good idea to hide/rename/move the
su binary. I would strongly advice against it.

- Biswajit