cancel
Showing results for 
Search instead for 
Did you mean: 

Security IDs

Fenglin
Regular Advisor

Security IDs

Hi

How to create/set an ID that cannot switch user to root?

Regards
Feng Lin
4 REPLIES
Matti_Kurkela
Honored Contributor

Re: Security IDs

Do you assume that the owner(s) of that ID will get to know the root password? If so, you have a critical problem in your root password management: fix that first.

You can create a group that includes all the users that should be allowed to switch to root, then change the permissions of the "su" command to make it executable by that group only.

Restricting the "su" command will make it difficult to access other non-personal user accounts (i.e. application user accounts). So you may have to provide an alternative that allows more flexible security controls than the "su" command. A common alternative is "sudo": it is available in the free HP Internet Express package.

"sudo" allows the sysadmin to define the things a user is allowed to do using accounts other than his/her own, in a case-by-case basis.

When using sudo to switch from ID A to ID B, the user is not normally asked the password of ID B. Instead, if the action is allowed in the sudo configuration, the user may be simply allowed to do it, or required to enter the password of ID A to confirm their identity. If you want sudo to require the password of ID B, that is configurable too.

From a security perspective, it would be best if each user has a unique, personal ID which is used by nobody else. If the user hasn't been authorized to do something, the system should stop him/her from doing it at all. From the ease-of-use perspective, if the user has been authorized to do something, it should "just work" with the minimum required extra steps because of security restrictions. That's exactly the combination of behaviours you can achieve with sudo.

MK
MK
Johnson Punniyalingam
Honored Contributor

Re: Security IDs

Fenglin
Regular Advisor

Re: Security IDs

Hi Matti

How do I restrict group A to be able to su to root and group B not to be able to su to root?

Regards
Feng Lin
Doug O'Leary
Honored Contributor

Re: Security IDs

Hey;

man security(4); the option you're looking for is called SU_ROOT_GROUP. It's effective since 11.11.

So, define a group you want to be able to su - root, then define it in the security file:

groupadd sysadm
echo "SU_ROOT_GROUP=sysadm" >> /etc/default/security

should do the trick.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html