HPE Community
Operating System - HP-UX
1753366 Members
5443 Online
108792 Solutions
New Discussion

Re: Restrict su command for particular user

 
Ajin_1
Valued Contributor

‎12-27-2012 03:36 AM

‎12-27-2012 03:36 AM

Restrict su command for particular user

Hi experts

 

In HP-UX is it possible to restrict su command for specific user?

 

For eg .users .profile file i set alias name for su

 

alias su='hostname'

 

Other Than any options available...? please suggest

 

 

Thanks in Aadvance.

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
4 REPLIES 4
Dennis Handly
Acclaimed Contributor

‎12-27-2012 03:42 AM

‎12-27-2012 03:42 AM

Re: Restrict su command for particular user

Why do you care?  He has to know the password.

 

Otherwise you would have to make a SUID script to check for that user, then invoke the real su.

And the real su would have to have its permissions changed to only allow root to execute it.

 

(Hmm, unfortunately, then that changed su would never ask for passwords.  )-:

0 Kudos
Reply
Ajin_1
Valued Contributor

‎12-27-2012 03:54 AM

‎12-27-2012 03:54 AM

Re: Restrict su command for particular user

Hi Dennis

 

Thanks for reply.

 

My requirement is i want to restrict the su command  for list of users .

We are using su command in scripts ,so

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎12-27-2012 04:05 AM

‎12-27-2012 04:05 AM

Re: Restrict su command for particular user

>I want to restrict the su command  for list of users.  We are using su command in scripts

 

You can change your scripts check for those users before you do the su command.

(Of course the user could copy the script and remove those checks.)

 

 

0 Kudos
Reply
Ken Grabowski
Respected Contributor

‎12-27-2012 05:54 AM

‎12-27-2012 05:54 AM

Re: Restrict su command for particular user

There are no built-in security features for the su command. If the user knows the password to the user they are trying to become, then they can use it.  Many shops where security is an issue remove the su command and make users and scripts use either sudo or RBAC.  The sudo utilities have been around for a long time and are more common. However, they are open source and not directly supported by HP.  I would suggest using the HP-UX RBAC packages built into 11.31 and available for 11.23. They let you get very granular in granting privileges and give you logs. They are no harder to structure than sudo and I think they work better, once you get past the learning curve.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.