topic Re: Securing su in Operating System - HP-UX

Securing su

Andrew Cowan — Fri, 27 Apr 2001 06:41:53 GMT

I am trying to restrict su from group to group, or user to user. We have constructed a security matrix with rules such as: "support users can su to root" and "dbas can su to Oracle and db2".

I have written a wrapper script which handles the authentication, however su fails under certain circumstances, yet returns no error e.g.

/usr/bin/su - iaa -c "/appl/iaa/bin/iaa &" > /dev/null 2>&1

yet it returns no error code.

My script calls su with: /usr/bin/su "$@"

Any ideas, or alternative su scripts?

Re: Securing su

Stefan Farrelly — Fri, 27 Apr 2001 07:01:26 GMT

/usr/bin/su - iaa -c "/appl/iaa/bin/iaa &" > /dev/null 2>&1

The error code is probably being generated from the script your running under the -c option, and thus no error code returned to you. You need to capture the error code there, ie;

/usr/bin/su - iaa -c "/appl/iaa/bin/iaa 2>/tmp/err &" > /dev/null 2>&1

Then check /tmp/err afterwards.

Re: Securing su

Andrew Cowan — Thu, 03 May 2001 04:47:58 GMT

Thanks Stefan, but I think I have not explained the problem clearly enough.

My script works fine when executed from a regular shell, however, when I run it as part of a Serviceguard package, I get a usage error from "su". It all comes down to the single command:

su "$@" - That is "su" the original binary, and "$@" is just the command line parameters when the script was called. The command is:

su_script - iaa -c "/appl/iaa/bin/iaa &" > /dev/null 2>&1

It seems that the "" are being incorrectly parsed whilst in the background. So I get "-".... usage errors.

Re: Securing su

Paul Winchcombe — Thu, 03 May 2001 09:16:21 GMT

I know this doesn't answer your question but have you tried sudo ?

http://hpux.cs.utah.edu/

Re: Securing su

Andrew Cowan — Thu, 03 May 2001 09:29:28 GMT

Yes I am specically told I cannot use it in this case.

Re: Securing su

Patrick Wallek — Thu, 03 May 2001 14:45:02 GMT

I don't quite understand why you can't use sudo. Is this a directive from "the powers that be"? (Management)

sudo is designed, and works VERY well, for things exactly like this. You could have sudo set up for this in no time, but if you keep trying to solve this problem, then you may be a while.

Re: Securing su

Andrew Cowan — Thu, 03 May 2001 15:03:26 GMT

Yes, in this case. I dearly want to do it the easy way, but this is a bank!

Re: Securing su

Mike Wilcox — Fri, 04 May 2001 19:34:54 GMT

If you can't use sudo, there is another utility called SuGuard that costs money. Maybe the powers that be will like it if it costs money. SuGuard does what sudo does and also has some added functionality.

Good Luck.