topic Re: SU Restriction in Operating System - HP-UX

SU Restriction

John Carver — Tue, 16 Jul 2002 20:03:27 GMT

I have created the file /etc/securetty to force my admins to su
rather than logging directly into root. Is there a method in HPUX11.00
to limit who can use the su command or better yet, a method to limit su
to root?

John Carver

Re: SU Restriction

Sanjay_6 — Tue, 16 Jul 2002 20:13:13 GMT

Hi john,

"su" is a regular unix command. If you want that su should work only if root is passed as an argument, you can move the binary executable su to a location not in the regular user path and then put a wrapper around the su command in a script such that the script can check if root is passed as aan arguement, if so it works else it fails.

however is there a problem in allowing the regular users to su to another user id than root?. should be okay if the user can do an su to another user id since any userid other than root will be required to give the passwd for the userid someone is su'ing to.

Hope this helps.

regds

Re: SU Restriction

Steven Mertens — Tue, 16 Jul 2002 20:15:06 GMT

hi John,

Maybe you can use sudo for it :

see :

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xaf7e37f45ef7d4118fef0090279cd0f9,00.html

regards

Steven

Re: SU Restriction

Arockia Jegan — Tue, 16 Jul 2002 20:15:19 GMT

Add
SU_ROOT_GROUP=group name

in the file /etc/default/security. So only the users in that particular users will be able to su to root.

Re: SU Restriction

MANOJ SRIVASTAVA — Tue, 16 Jul 2002 20:18:23 GMT

Hi John

Here is how we do it . edit /etc/profile and add the following lines :

loginid=`who am i | awk '{print $1}'`

echo $loginid
if [ $loginid = root ]
then
exit
fi

this will throw out anyone trying to log in as root , so to go to root you have to su to root after logging in as a normal user.

Manoj Srivastava

Re: SU Restriction

Arockia Jegan — Tue, 16 Jul 2002 20:18:34 GMT

There is an another way to setup this security. Install sudo software and modify the //etc/sudoers file to allow only the particular users to su to root.

You can get sudo from here,

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.6/

Re: SU Restriction

Bill Hassell — Tue, 16 Jul 2002 23:07:51 GMT

Just a note about the /etc/default/security file: although it is standard on 11i, you'll need the latest libpam patch PHCO_25527. Unfortunately, the man page for security is missing so you'll need to look at docs.hp.com for the details:

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90696/B2355-90696_top.html&con=/hpux/onlinedocs/B2355-90696/00/01/111-con.html&toc=/hpux/onlinedocs/B2355-90696/00/01/111-toc.html&searchterms=security%7c4&queryid=20020716-171645

and

http://docs.hp.com/hpux/onlinedocs/5185-4391/5185-4391.html

Re: SU Restriction

Michael Tully — Tue, 16 Jul 2002 23:14:13 GMT

sudo is the recommendation. To restrict admins even further, you could go one step further and lock up the root passwd as well. Have the IT manager keep it (them) in a locked safe with limited access. You don't need the root passwd if sudo is installed and *used* correctly. Each instance of it's usage can be logged and tracked, as to who does what and when. Also remove '.rhosts' and '/etc/hosts.equiv files.