https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443480#M357640 how to restict the specific user for using the su command. [e.g] the user name is cbeny..please let me know.. i have to perform in a server .. Thanks in advance .. points assured Fri, 19 Jun 2009 18:18:38 GMT gany59 2009-06-19T18:18:38Z https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443480#M357640 how to restict the specific user for using the su command. [e.g] the user name is cbeny..please let me know.. i have to perform in a server .. Thanks in advance .. points assured Fri, 19 Jun 2009 18:18:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443480#M357640 gany59 2009-06-19T18:18:38Z https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443481#M357641 if "cbeny" knows the password of the "target" user, you can't disable "su".<BR /><BR />you could place "cbeny" in a resticted shell, but that may be overkill for what you want to accomplish<BR /><BR />you could write a wrapper script for the std "su" that looks at who ran it before doing the real "su"<BR /><BR />you could use "sudo", or "PowerBroker" Fri, 19 Jun 2009 18:56:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443481#M357641 OldSchool 2009-06-19T18:56:58Z https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443482#M357642 Hi:<BR /><BR />As OldSchool mentions, 'switch-user' or 'su' is password authenticated and a password will be posed everytime unless starting from root and going to a user account. 'root' is not authenticated with 'su', only user accounts are.<BR /><BR />If the issue is with 'su - root' from a user account then you can convert to a trusted system and live with those nusances, but I think popularity for trusted systems had really diminished since 10.20 and 11.00.<BR /><BR />You can also use the even less popular NIS Plus and get the same root restirctions. But I have yet to find an HP-UX box using NIS Plus. Its very unpopular. Fri, 19 Jun 2009 19:10:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443482#M357642 Michael Steele_2 2009-06-19T19:10:39Z https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443483#M357643 Hello,<BR /><BR />Apart from the advice you already got from<BR />others, here are other options:<BR /><BR />a) Set option SU_ROOT_GROUP in /etc/default/security and add user "cbeny" if<BR />they are allowed to su(1) to "root".<BR /><BR />Or, if you do not want "cbeny" to be able to<BR />su(1) to "root", then make them not be<BR />part of Unix group as defined in SU_ROOT_GROUP.<BR /><BR />b) Change permissions on /usr/bin/su (normally 4555, owner root, group bin or<BR />root), to a more restrictive, say 4550:<BR /><BR />-r-sr-x--- 1 root sugrp ... /usr/bin/su<BR /><BR />Then, create a sugrp in /etc/group. Add<BR />the users that are allowed to run su(1) to<BR />membership of the Unix group sugrp.<BR /><BR />c) Finally, think about using<BR />Role Based Access Control.<BR /><BR />Cheers,<BR /><BR />VK2COT Fri, 19 Jun 2009 22:43:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443483#M357643 VK2COT 2009-06-19T22:43:28Z https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443484#M357644 <A href="http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1349273" target="_blank">http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1349273</A> Sat, 20 Jun 2009 01:41:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/su-command-restiction/m-p/4443484#M357644 Michael Steele_2 2009-06-20T01:41:10Z