System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict su command for particular user

Ajin_1
Valued Contributor

Restrict su command for particular user

Hi experts

 

In HP-UX is it possible to restrict su command for specific user?

 

For eg .users .profile file i set alias name for su

 

alias su='hostname'

 

Other Than any options available...? please suggest

 

 

Thanks in Aadvance.

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
4 REPLIES
Dennis Handly
Acclaimed Contributor

Re: Restrict su command for particular user

Why do you care?  He has to know the password.

 

Otherwise you would have to make a SUID script to check for that user, then invoke the real su.

And the real su would have to have its permissions changed to only allow root to execute it.

 

(Hmm, unfortunately, then that changed su would never ask for passwords.  )-:

Ajin_1
Valued Contributor

Re: Restrict su command for particular user

Hi Dennis

 

Thanks for reply.

 

My requirement is i want to restrict the su command  for list of users .

We are using su command in scripts ,so

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Dennis Handly
Acclaimed Contributor

Re: Restrict su command for particular user

>I want to restrict the su command  for list of users.  We are using su command in scripts

 

You can change your scripts check for those users before you do the su command.

(Of course the user could copy the script and remove those checks.)

 

 

Ken Grabowski
Respected Contributor

Re: Restrict su command for particular user

There are no built-in security features for the su command. If the user knows the password to the user they are trying to become, then they can use it.  Many shops where security is an issue remove the su command and make users and scripts use either sudo or RBAC.  The sudo utilities have been around for a long time and are more common. However, they are open source and not directly supported by HP.  I would suggest using the HP-UX RBAC packages built into 11.31 and available for 11.23. They let you get very granular in granting privileges and give you logs. They are no harder to structure than sudo and I think they work better, once you get past the learning curve.