HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict su command for particular user

 
Ajin_1
Valued Contributor

Restrict su command for particular user

Hi experts

 

In HP-UX is it possible to restrict su command for specific user?

 

For eg .users .profile file i set alias name for su

 

alias su='hostname'

 

Other Than any options available...? please suggest

 

 

Thanks in Aadvance.

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
4 REPLIES

Re: Restrict su command for particular user

Why do you care?  He has to know the password.

 

Otherwise you would have to make a SUID script to check for that user, then invoke the real su.

And the real su would have to have its permissions changed to only allow root to execute it.

 

(Hmm, unfortunately, then that changed su would never ask for passwords.  )-:

Ajin_1
Valued Contributor

Re: Restrict su command for particular user

Hi Dennis

 

Thanks for reply.

 

My requirement is i want to restrict the su command  for list of users .

We are using su command in scripts ,so

Thanks & Regards
Ajin.S
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.

Re: Restrict su command for particular user

>I want to restrict the su command  for list of users.  We are using su command in scripts

 

You can change your scripts check for those users before you do the su command.

(Of course the user could copy the script and remove those checks.)

 

 

Ken Grabowski
Respected Contributor

Re: Restrict su command for particular user

There are no built-in security features for the su command. If the user knows the password to the user they are trying to become, then they can use it.  Many shops where security is an issue remove the su command and make users and scripts use either sudo or RBAC.  The sudo utilities have been around for a long time and are more common. However, they are open source and not directly supported by HP.  I would suggest using the HP-UX RBAC packages built into 11.31 and available for 11.23. They let you get very granular in granting privileges and give you logs. They are no harder to structure than sudo and I think they work better, once you get past the learning curve.