topic Re: restricting su in Operating System - HP-UX

restricting su

Rainer von Bongartz — Thu, 18 Sep 2003 08:42:35 GMT

Is there any way to restrict the su command .

I want to allow
su - user1
but
su - user2
should be denied.

Regards
Rainer

Re: restricting su

Stefan Farrelly — Thu, 18 Sep 2003 08:50:28 GMT

You will have to replace the su binary with a script which checks for who you are trying to su to then allows or disallows it.

Re: restricting su

Thierry Poels_1 — Thu, 18 Sep 2003 09:06:48 GMT

Hi,

for non-root users this is easy : keep user2's password secret ;-)

for root : you could test in user2's .profile on 'who am i' which still reflects the original user.
But 'su user2' (without the minus) will pass this again :(

good luck,
Thierry.

Re: restricting su

David_246 — Thu, 18 Sep 2003 09:47:05 GMT

Sorry, I don't agree.
I think there is only one way (when not using an external produkt) to solve this. Current permissions are :
-r-sr-xr-x 1 root root 24576 Aug 6 1998 /usr/bin/su

change them to :
-r-sr-x--- 1 root sugroup 24576 Aug 6 1998 /usr/bin/su

Now you create a sugroup in the /etc/group. Make the members that are allowed to examine su member of the group sugroup.

Regs David

Re: restricting su

Rainer von Bongartz — Thu, 18 Sep 2003 10:16:56 GMT

Hi guys,

I do not want to restrict the use of su (any user is allowed to use it) but I need to restrict the target user called by su. There is a list of users which are only allowed to do a regular login, the use of su to gain this users priviliges is not allowed. (Of course this is a demand from our audit people so let's not debate about the sense of this demand)

Regards
Rainer

Re: restricting su

Stefan Farrelly — Thu, 18 Sep 2003 11:09:21 GMT

Ive not heard of auditing requiring this before. Ive heard many times of them requiring an audit trail of who uses the su command. This is easier as all you need to do is switch on accounting and select the su system call so you can log processes which use it. Then, just in case, you can backtrack and see who used su in the event of a problem.

Re: restricting su

Brian Bergstrand — Thu, 18 Sep 2003 11:31:20 GMT

There is a more secure way to do this than a script -- if you can install sudo.

First, disable all access to /usr/bin/su

# chmod go-rwx /usr/bin/su

Then add the following to /etc/sudoers

ALL ALL = NOPASSWD : /usr/bin/su

Then to su, your users run:

sudo su

If does not match the list provided in the sudoers file, then sudo will not allow su to run.

This also has the side benifit of loggin all su activity, including unauthorized attempts.

See the sudoers man page for the specific syntax.

HTH.

Re: restricting su

Sergejs Svitnevs — Thu, 18 Sep 2003 11:48:01 GMT

Instead of executing "su", use "sudo".
"sudo" lets you have more control over what users can do as other users.
Or
DON'T give out users passwords and change them immediately when a problem is discovered.

Regards,
Sergejs

Re: restricting su

David_246 — Thu, 18 Sep 2003 11:52:29 GMT

Hi Rainer,

Sorry for the misunderstanding. I do this using "eTrust Access Control" from CA. It works perfect for your question.
Also other sudo tools work great with it. From a standard OS without extra tooling this will not be possible.

Regs David