- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: access controls on su
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2008 11:24 AM
тАО04-25-2008 11:24 AM
access controls on su
# ll /etc/security/su*
-rw-r--r-- 1 root root 8 Feb 15 2006 /etc/security/suapplmgr
-rw-r--r-- 1 root root 7 Feb 15 2006 /etc/security/suoracle
-rw-r--r-- 1 root root 5 Feb 15 2006 /etc/security/suroot
is there an equivalent in HP-UX or an alternate method!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2008 11:42 AM
тАО04-25-2008 11:42 AM
Re: access controls on su
1) su access is only limited to knowing the password of who you are su'ing to
2) if not root then permissions are controlled by standard file permissions and some directives defined in /etc/defaults/security
3) I see others typically use sudo (3rd party app) for this purpose.
man su
or
man security
for more.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2008 11:50 AM
тАО04-25-2008 11:50 AM
Re: access controls on su
1) Create a unique group (say 'some_unique_group')
2) add the following line to /etc/default/security file:
SU_ROOT_GROUP=some_unique_group
3) add the users who should should be allowed to do 'su root' to this group:
in file /etc/group:
some_unique_group::GID:user1,user2,user3...
Not sure if there is a way restrict 'su' to other non-root account.
thanks,
sj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2008 01:27 PM
тАО04-25-2008 01:27 PM
Re: access controls on su
a) The method you showed in Linux is based
on PAM.
Since HP-UX supports PAM, I guess it
is possible to do it. In fact,
when I get back from a business trip in two
weeks, I will try it myself.
b) The second option would be SUDO with SUDOSH.
That one I have implemented for a large
company running Solaris, Linux and HP-UX.
c) Finally, if you use HP-UX 11.23 or 11.31,
go for Role Based Access Control (RBAC).
Such a good tool, used so little in HP-UX.
Pity.
Cheers,
VK2COT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-25-2009 04:43 PM
тАО01-25-2009 04:43 PM
Re: access controls on su
[ghosha@/home/ghosha] #su -
Password:
Last successful login for root: Fri Jan 23 09:48:35 EST5EDT 2009
Last unsuccessful login for root: Thu Jan 22 12:04:28 EST5EDT 2009
su: Not a member of the SU_ROOT_GROUP defined in /etc/default/security
[ghosha@/home/ghosha] #
su to root account is prevented if the users are NOT members of easroot. But NOT available for any other accounts.