HPE Community
Operating System - HP-UX
1753765 Members
5338 Online
108799 Solutions
New Discussion юеВ

Re: access controls on su

 
skt_skt
Honored Contributor

тАО04-25-2008 11:24 AM

тАО04-25-2008 11:24 AM

access controls on su

In Linux, following files controle the su access

# ll /etc/security/su*
-rw-r--r-- 1 root root 8 Feb 15 2006 /etc/security/suapplmgr
-rw-r--r-- 1 root root 7 Feb 15 2006 /etc/security/suoracle
-rw-r--r-- 1 root root 5 Feb 15 2006 /etc/security/suroot

is there an equivalent in HP-UX or an alternate method!


0 Kudos
Reply
4 REPLIES 4
Tim Nelson
Honored Contributor

тАО04-25-2008 11:42 AM

тАО04-25-2008 11:42 AM

Re: access controls on su

As far as I know.

1) su access is only limited to knowing the password of who you are su'ing to

2) if not root then permissions are controlled by standard file permissions and some directives defined in /etc/defaults/security

3) I see others typically use sudo (3rd party app) for this purpose.

man su
or
man security

for more.

0 Kudos
Reply
Srini Jay
Valued Contributor

тАО04-25-2008 11:50 AM

тАО04-25-2008 11:50 AM

Re: access controls on su

To control who can 'su - root', you can do the following:

1) Create a unique group (say 'some_unique_group')

2) add the following line to /etc/default/security file:
SU_ROOT_GROUP=some_unique_group

3) add the users who should should be allowed to do 'su root' to this group:

in file /etc/group:

some_unique_group::GID:user1,user2,user3...


Not sure if there is a way restrict 'su' to other non-root account.

thanks,
sj


0 Kudos
Reply
VK2COT
Honored Contributor

тАО04-25-2008 01:27 PM

тАО04-25-2008 01:27 PM

Re: access controls on su

Hello,

a) The method you showed in Linux is based
on PAM.

Since HP-UX supports PAM, I guess it
is possible to do it. In fact,
when I get back from a business trip in two
weeks, I will try it myself.

b) The second option would be SUDO with SUDOSH.

That one I have implemented for a large
company running Solaris, Linux and HP-UX.

c) Finally, if you use HP-UX 11.23 or 11.31,
go for Role Based Access Control (RBAC).

Such a good tool, used so little in HP-UX.
Pity.

Cheers,

VK2COT



VK2COT - Dusan Baljevic
0 Kudos
Reply
skt_skt
Honored Contributor

тАО01-25-2009 04:43 PM

тАО01-25-2009 04:43 PM

Re: access controls on su


[ghosha@/home/ghosha] #su -
Password:
Last successful login for root: Fri Jan 23 09:48:35 EST5EDT 2009
Last unsuccessful login for root: Thu Jan 22 12:04:28 EST5EDT 2009
su: Not a member of the SU_ROOT_GROUP defined in /etc/default/security
[ghosha@/home/ghosha] #

su to root account is prevented if the users are NOT members of easroot. But NOT available for any other accounts.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.