https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915375#M482771 <P>&gt;I want to restrict the su command&nbsp; for list of users.&nbsp; We are using su command in scripts</P><P>&nbsp;</P><P>You can change your scripts check for those users before you do the su command.</P><P>(Of course the user could copy the script and remove those checks.)</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Dec 2012 12:05:28 GMT Dennis Handly 2012-12-27T12:05:28Z https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915349#M482768 <P>Hi experts</P><P>&nbsp;</P><P>In HP-UX is it possible to restrict su command for specific user?</P><P>&nbsp;</P><P>For eg .users .profile file i set alias name for su</P><P>&nbsp;</P><P>alias su='hostname'</P><P>&nbsp;</P><P>Other Than any options available...? please suggest</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in Aadvance.</P> Thu, 27 Dec 2012 11:36:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915349#M482768 Ajin_1 2012-12-27T11:36:44Z https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915355#M482769 <P>Why do you care?&nbsp; He has to know the password.</P><P>&nbsp;</P><P>Otherwise you would have to make a SUID script to check for that user, then invoke the real su.</P><P>And the real su would have to have its permissions changed to only allow root to execute it.</P><P>&nbsp;</P><P>(Hmm, unfortunately, then that changed su would never ask for passwords.&nbsp; )-:</P> Thu, 27 Dec 2012 11:42:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915355#M482769 Dennis Handly 2012-12-27T11:42:47Z https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915363#M482770 <P>Hi Dennis</P><P>&nbsp;</P><P>Thanks for reply.</P><P>&nbsp;</P><P>My requirement is i want to restrict the su command&nbsp; for list of users .</P><P>We are using su command in scripts ,so</P> Thu, 27 Dec 2012 11:54:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915363#M482770 Ajin_1 2012-12-27T11:54:20Z https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915375#M482771 <P>&gt;I want to restrict the su command&nbsp; for list of users.&nbsp; We are using su command in scripts</P><P>&nbsp;</P><P>You can change your scripts check for those users before you do the su command.</P><P>(Of course the user could copy the script and remove those checks.)</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Dec 2012 12:05:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915375#M482771 Dennis Handly 2012-12-27T12:05:28Z https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915449#M482772 <P>There are no built-in security features for the su command. If the user knows the password to the user they are trying to become, then they can use it.&nbsp; Many shops where security is an issue remove the su command and make users and scripts use either sudo or RBAC.&nbsp; The sudo utilities have been around for a long time and are more common. However, they are open source and not directly supported by HP.&nbsp; I would suggest using the HP-UX RBAC packages built into 11.31 and available for 11.23. They let you get very granular in granting privileges and give you logs. They are no harder to structure than sudo and I think they work better, once you get past the learning curve.</P> Thu, 27 Dec 2012 13:54:17 GMT https://community.hpe.com/t5/operating-system-hp-ux/restrict-su-command-for-particular-user/m-p/5915449#M482772 Ken Grabowski 2012-12-27T13:54:17Z