topic Re: Security IDs in Operating System - HP-UX

Security IDs

Fenglin — Tue, 06 Apr 2010 05:12:39 GMT

Hi

How to create/set an ID that cannot switch user to root?

Regards
Feng Lin

Re: Security IDs

Matti_Kurkela — Tue, 06 Apr 2010 06:01:18 GMT

Do you assume that the owner(s) of that ID will get to know the root password? If so, you have a critical problem in your root password management: fix that first.

You can create a group that includes all the users that should be allowed to switch to root, then change the permissions of the "su" command to make it executable by that group only.

Restricting the "su" command will make it difficult to access other non-personal user accounts (i.e. application user accounts). So you may have to provide an alternative that allows more flexible security controls than the "su" command. A common alternative is "sudo": it is available in the free HP Internet Express package.

"sudo" allows the sysadmin to define the things a user is allowed to do using accounts other than his/her own, in a case-by-case basis.

When using sudo to switch from ID A to ID B, the user is not normally asked the password of ID B. Instead, if the action is allowed in the sudo configuration, the user may be simply allowed to do it, or required to enter the password of ID A to confirm their identity. If you want sudo to require the password of ID B, that is configurable too.

From a security perspective, it would be best if each user has a unique, personal ID which is used by nobody else. If the user hasn't been authorized to do something, the system should stop him/her from doing it at all. From the ease-of-use perspective, if the user has been authorized to do something, it should "just work" with the minimum required extra steps because of security restrictions. That's exactly the combination of behaviours you can achieve with sudo.

MK

Re: Security IDs

Johnson Punniyalingam — Tue, 06 Apr 2010 06:03:42 GMT

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1270537286861+28353475&threadId=87437

Re: Security IDs

Fenglin — Tue, 06 Apr 2010 07:29:25 GMT

Hi Matti

How do I restrict group A to be able to su to root and group B not to be able to su to root?

Regards
Feng Lin

Re: Security IDs

Doug O'Leary — Tue, 06 Apr 2010 12:02:55 GMT

Hey;

man security(4); the option you're looking for is called SU_ROOT_GROUP. It's effective since 11.11.

So, define a group you want to be able to su - root, then define it in the security file:

groupadd sysadm
echo "SU_ROOT_GROUP=sysadm" >> /etc/default/security

should do the trick.

Doug O'Leary