https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187126#M323147 Hello,<BR /><BR />a) The method you showed in Linux is based<BR />on PAM.<BR /><BR />Since HP-UX supports PAM, I guess it<BR />is possible to do it. In fact,<BR />when I get back from a business trip in two<BR />weeks, I will try it myself.<BR /><BR />b) The second option would be SUDO with SUDOSH.<BR /><BR />That one I have implemented for a large <BR />company running Solaris, Linux and HP-UX.<BR /><BR />c) Finally, if you use HP-UX 11.23 or 11.31,<BR />go for Role Based Access Control (RBAC).<BR /><BR />Such a good tool, used so little in HP-UX.<BR />Pity.<BR /><BR />Cheers,<BR /><BR />VK2COT<BR /><BR /><BR /><BR /> Fri, 25 Apr 2008 20:27:07 GMT VK2COT 2008-04-25T20:27:07Z https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187123#M323144 In Linux, following files controle the su access<BR /><BR /># ll /etc/security/su*<BR />-rw-r--r-- 1 root root 8 Feb 15 2006 /etc/security/suapplmgr<BR />-rw-r--r-- 1 root root 7 Feb 15 2006 /etc/security/suoracle<BR />-rw-r--r-- 1 root root 5 Feb 15 2006 /etc/security/suroot<BR /><BR />is there an equivalent in HP-UX or an alternate method!<BR /><BR /><BR /> Fri, 25 Apr 2008 18:24:03 GMT https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187123#M323144 skt_skt 2008-04-25T18:24:03Z https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187124#M323145 As far as I know.<BR /><BR />1) su access is only limited to knowing the password of who you are su'ing to<BR /><BR />2) if not root then permissions are controlled by standard file permissions and some directives defined in /etc/defaults/security<BR /><BR />3) I see others typically use sudo (3rd party app) for this purpose. <BR /><BR />man su <BR />or <BR />man security <BR /><BR />for more.<BR /><BR /> Fri, 25 Apr 2008 18:42:13 GMT https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187124#M323145 Tim Nelson 2008-04-25T18:42:13Z https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187125#M323146 To control who can 'su - root', you can do the following:<BR /><BR />1) Create a unique group (say 'some_unique_group')<BR /><BR />2) add the following line to /etc/default/security file:<BR />SU_ROOT_GROUP=some_unique_group<BR /><BR />3) add the users who should should be allowed to do 'su root' to this group:<BR /><BR />in file /etc/group:<BR /><BR />some_unique_group::GID:user1,user2,user3...<BR /><BR /><BR />Not sure if there is a way restrict 'su' to other non-root account.<BR /><BR />thanks,<BR />sj<BR /><BR /><BR /> Fri, 25 Apr 2008 18:50:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187125#M323146 Srini Jay 2008-04-25T18:50:42Z https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187126#M323147 Hello,<BR /><BR />a) The method you showed in Linux is based<BR />on PAM.<BR /><BR />Since HP-UX supports PAM, I guess it<BR />is possible to do it. In fact,<BR />when I get back from a business trip in two<BR />weeks, I will try it myself.<BR /><BR />b) The second option would be SUDO with SUDOSH.<BR /><BR />That one I have implemented for a large <BR />company running Solaris, Linux and HP-UX.<BR /><BR />c) Finally, if you use HP-UX 11.23 or 11.31,<BR />go for Role Based Access Control (RBAC).<BR /><BR />Such a good tool, used so little in HP-UX.<BR />Pity.<BR /><BR />Cheers,<BR /><BR />VK2COT<BR /><BR /><BR /><BR /> Fri, 25 Apr 2008 20:27:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187126#M323147 VK2COT 2008-04-25T20:27:07Z https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187127#M323148 <BR />[ghosha@/home/ghosha] #su -<BR />Password:<BR />Last successful login for root: Fri Jan 23 09:48:35 EST5EDT 2009<BR />Last unsuccessful login for root: Thu Jan 22 12:04:28 EST5EDT 2009<BR />su: Not a member of the SU_ROOT_GROUP defined in /etc/default/security<BR />[ghosha@/home/ghosha] #<BR /><BR />su to root account is prevented if the users are NOT members of easroot. But NOT available for any other accounts.<BR /> Mon, 26 Jan 2009 00:43:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/access-controls-on-su/m-p/4187127#M323148 skt_skt 2009-01-26T00:43:41Z