topic Re: disabling su ability to root in Operating System - HP-UX

disabling su ability to root

JOHN TURNER_2 — Wed, 15 Apr 2009 15:39:23 GMT

hi

i have just recieved some findings from an audit, and i have to disable the ability to su - root from all users on the system, and the only way the users can run root commands is via sudo. I already have sudo installed and configured, but need to disable the su ability, has anyone got any hints and tips on how to do this. I have already set up the /etc/securetty file with console in it

cheers in advance

john

Re: disabling su ability to root

Patrick Wallek — Wed, 15 Apr 2009 16:02:09 GMT

If you are just talking about someone doing:

$ su - root

then they will not be successful if they do not know the root password. Make sure no one except administrators knows the root password.

If you are talking about someone doing:

$ sudo su - root

then you can add a line in your sudoers file to forbid this.

Set up a CMND_ALIAS like:

Cmnd_Alias NOSU=!/usr/bin/su root, !/usr/bin/su -, !/usr/bin/su - root

Then just assign the NOSU cmnd_alias to your users.

Re: disabling su ability to root

UVK — Wed, 15 Apr 2009 16:25:10 GMT

Check for /etc/security/user file that will should give you the answer

You can disable su for anyone by just adding su=false.

-uvk

Re: disabling su ability to root

Bill Hassell — Wed, 15 Apr 2009 17:25:10 GMT

> Check for /etc/security/user file that will should give you the answer

I believe that this is an AIX feature. In HP-UX, a similar file is called /etc/default/security. The man page for security gives the options but none exist to defeat the su command.

As mentioned, su will not do anything if the user does not have the password. You can also disable su completely by renaming the executable but this will likely break scripts that su to other users. Do not give out the root password.

Re: disabling su ability to root

Steven E. Protter — Wed, 15 Apr 2009 17:34:23 GMT

Shalom,

If there is root password security, su - root need not be disabled.

People will not be able to log in to root. After this, watch the logs, its a policy issue and the users trying to log onto root need to be dealt with. Its not an IT issue.

SEP

Re: disabling su ability to root

Mark Fenton — Wed, 15 Apr 2009 22:09:08 GMT

I really don't think this is possible, or particularly desireable. I would think it sufficient to restrict direct root login to the console as you have done, and controlling access to the root password.
As an additional measure, I suppose you could restrict use of su to a particular group (in etc/default/security file you would add SU_ROOT_GROUP=wheel) to prevent casual attempts at running it.