HPE Community
Operating System - HP-UX
1753623 Members
5816 Online
108797 Solutions
New Discussion юеВ

Securing su

 
Andrew Cowan
Honored Contributor

тАО04-26-2001 11:41 PM

тАО04-26-2001 11:41 PM

Securing su

I am trying to restrict su from group to group, or user to user. We have constructed a security matrix with rules such as: "support users can su to root" and "dbas can su to Oracle and db2".

I have written a wrapper script which handles the authentication, however su fails under certain circumstances, yet returns no error e.g.

/usr/bin/su - iaa -c "/appl/iaa/bin/iaa &" > /dev/null 2>&1

yet it returns no error code.

My script calls su with: /usr/bin/su "$@"

Any ideas, or alternative su scripts?
0 Kudos
Reply
7 REPLIES 7
Stefan Farrelly
Honored Contributor

тАО04-27-2001 12:01 AM

тАО04-27-2001 12:01 AM

Re: Securing su


/usr/bin/su - iaa -c "/appl/iaa/bin/iaa &" > /dev/null 2>&1

The error code is probably being generated from the script your running under the -c option, and thus no error code returned to you. You need to capture the error code there, ie;

/usr/bin/su - iaa -c "/appl/iaa/bin/iaa 2>/tmp/err &" > /dev/null 2>&1

Then check /tmp/err afterwards.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО05-02-2001 09:47 PM

тАО05-02-2001 09:47 PM

Re: Securing su

Thanks Stefan, but I think I have not explained the problem clearly enough.

My script works fine when executed from a regular shell, however, when I run it as part of a Serviceguard package, I get a usage error from "su". It all comes down to the single command:

su "$@" - That is "su" the original binary, and "$@" is just the command line parameters when the script was called. The command is:

su_script - iaa -c "/appl/iaa/bin/iaa &" > /dev/null 2>&1

It seems that the "" are being incorrectly parsed whilst in the background. So I get "-".... usage errors.
0 Kudos
Reply
Paul Winchcombe
Occasional Contributor

тАО05-03-2001 02:16 AM

тАО05-03-2001 02:16 AM

Re: Securing su

I know this doesn't answer your question but have you tried sudo ?

http://hpux.cs.utah.edu/
I have an above average QI
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО05-03-2001 02:29 AM

тАО05-03-2001 02:29 AM

Re: Securing su

Yes I am specically told I cannot use it in this case.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО05-03-2001 07:45 AM

тАО05-03-2001 07:45 AM

Re: Securing su

I don't quite understand why you can't use sudo. Is this a directive from "the powers that be"? (Management)

sudo is designed, and works VERY well, for things exactly like this. You could have sudo set up for this in no time, but if you keep trying to solve this problem, then you may be a while.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО05-03-2001 08:03 AM

тАО05-03-2001 08:03 AM

Re: Securing su

Yes, in this case. I dearly want to do it the easy way, but this is a bank!
0 Kudos
Reply
Mike Wilcox
New Member

тАО05-04-2001 12:34 PM

тАО05-04-2001 12:34 PM

Re: Securing su

If you can't use sudo, there is another utility called SuGuard that costs money. Maybe the powers that be will like it if it costs money. SuGuard does what sudo does and also has some added functionality.

Good Luck.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.