topic Re: How do I force users to su to a non-root account? in Operating System - HP-UX

How do I force users to su to a non-root account?

DAN HENDERSON — Tue, 04 Dec 2001 16:47:57 GMT

I have an account (non-root) that I want to force users to "su" to. Is that possible?

Thanks ...

Re: How do I force users to su to a non-root account?

Craig Rants — Tue, 04 Dec 2001 16:49:51 GMT

Try making their shell /usr/bin/su - userid.

Good Luck,
C

Re: How do I force users to su to a non-root account?

Uday_S_Ankolekar — Tue, 04 Dec 2001 16:51:06 GMT

Hi,

This would be possible if you create(incase you don't have one) a file in /etc/securetty
add an entry called console in that.

This would only allow su to all the users if they want to root access

Goodluck
-USA..

Re: How do I force users to su to a non-root account?

Justo Exposito — Tue, 04 Dec 2001 16:53:04 GMT

Hi Dan,

Try:
su - username
exit
in the last 2 lines of the .profile file of the user.

Regards,
Justo.

Re: How do I force users to su to a non-root account?

Craig Rants — Tue, 04 Dec 2001 16:56:34 GMT

Justo,
If it was in their .profile, the user could Cntl-C out of the su, granted they are not a novice. Making it their shell gives them no option.

Uday,
The console entry in /etc/securetty only allows root logins from telnet and rlogin at the console, it does not affect other users.

C

Re: How do I force users to su to a non-root account?

Uday_S_Ankolekar — Tue, 04 Dec 2001 16:59:49 GMT

Sorry, I misunderstood your question.. Thanks to Craig for correcting it.

Re: How do I force users to su to a non-root account?

Justo Exposito — Tue, 04 Dec 2001 17:03:54 GMT

hi,

Yes, Craig you are ok. But you can use stty command in the .profile to lock the contol-C, and you can develop with shell a menu to access the system with many options.

Regards,
Justo.

Re: How do I force users to su to a non-root account?

Duncan Edmonstone — Tue, 04 Dec 2001 17:04:03 GMT

If you mean, like a DBA, who has to log in under his *own* account before he can su to oracle... This has come up several times before... see the attached link:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html

Re: How do I force users to su to a non-root account?

Craig Rants — Tue, 04 Dec 2001 17:04:22 GMT

I can't even write today.

/etc/securetty with an entry of console disallows telnet and rlogin attempts as root, root can only login on the console.

Geez, was that so hard.

Sorry for my giberish,
C

Re: How do I force users to su to a non-root account?

Craig Rants — Tue, 04 Dec 2001 17:06:07 GMT

Justo,
Yes you are right, forgot about that option.

Re: How do I force users to su to a non-root account?

Tim D Fulford — Tue, 04 Dec 2001 17:12:02 GMT

Dan

This does not seem to be in line with the answers given above! However, I think this is what you want.

if you have a generic non-root user account, say informix you obviously do not want users to directly telnet or rlogin into those accouts as there is no audit trail. In effect you want a /etc/securetty for regular users (I think). I do not know of such a beast. However, if in the .profile of informix you put

wai=$(/usr/bin/logname)
if [ $wai = informix ]
then
echo "Access denied, use su - user"
exec sleep 5
exit
fi

Obviously these files cannot be owned by informix so make them owned by root & readable
# chmod 440 ~informix/.profile
OR
# chmod 444 ~informix/.profile
# chown root:informix ~informix/.profile

Tim

Re: How do I force users to su to a non-root account?

Bernie Vande Griend — Tue, 04 Dec 2001 17:21:15 GMT

Dan,
can you clarify the question? Do you want users to automatically su to that account when they login?
Or do you want that non-root account to only be used by "su" to it, instead of direct login? An example would be a database generic account such as "oracle" or "sybase". Can't think of a great way for the first scenario. For the second, I've accomplished that by modified /etc/profile in the same way that Tim suggests doing in a local .profile. Either way will work, but I prefer /etc/profile as it makes it a bit easier to administer.

Re: How do I force users to su to a non-root account?

Darrell Allen — Tue, 04 Dec 2001 17:23:21 GMT

Hi Dan,

There is no HPUX mechanism such as securetty for non-root accounts. I believe you will have to put edits in /etc/profile to do what you want (or /etc/csh.login if a csh account).

You may try putting the edits in the account's .profile but you would have to put sticky bit on the directory, chown the directory to root, and generally a bunch of stuff that makes life more difficult for that account.

There's a number of threads along this line in the forums. My best search results are from search.hp.com on something like: +login +su +restrict

Darrell

Re: How do I force users to su to a non-root account?

Duncan Edmonstone — Tue, 04 Dec 2001 17:24:00 GMT

Tim,

The code is good, but you can't protect anything that goes in a users .profile....

Remember that the user 'informix' owns it home directory, so they can delete any file in there. If I was the informix DBA, and the code you'd added was annoying me I'd do this:

cp .profile .profile.new
< remove those annoying lines in .profile.new>
rm -f .profile
mv .profile.new .profile

So to stop this you must add the code to /etc/profile, which is also run at login, but the user *can't* edit or change

HTH

Duncan

Re: How do I force users to su to a non-root account?

Sanjay_6 — Tue, 04 Dec 2001 18:08:14 GMT

Hi Dan,

Try these links,

http://us-support2.external.hp.com/cki/bin/doc.pl/sid=25405b930db750f8a0/screen=ckiDisplayDocument?docId=200000051899524

http://us-support2.external.hp.com/cki/bin/doc.pl/sid=25405b930db750f8a0/screen=ckiDisplayDocument?docId=200000027709182

Hope this helps.

Regds

Re: How do I force users to su to a non-root account?

Craig Rants — Tue, 04 Dec 2001 20:21:25 GMT

Ok, so the question is you want an account that users cannot login as, but can su to. Guess I missed the intent.

C