System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

configuring su to allow non group 0 accounts access

Abar
Occasional Visitor

configuring su to allow non group 0 accounts access

I am in the process of trying to lock out all remote logins to root by modifying the securettys file, forcing su. However, I still need to allow multiple non-group 0 accounts to access root away from the console. I attempted to set up a wheel group to allow non-system group accounts remote access via su. However, after configuring the wheel group I now had to add any accounts needing 'su' to both the system and wheel groups. Any ideas? Is it possible to allow a non-group 0 account access to su with this OS at all? Is there maybe a patch for su that would allow this? The OS is V5, TRU64 UNIX on Compaq ES40s.
5 REPLIES
Orjan Petersson
Frequent Advisor

Re: configuring su to allow non group 0 accounts access

AFAIK, there is no way to allow users not in group 0 to su to root (short of writing your own su). Common workarounds are dop (built-in) and sudo (open-source).
Ivan Ferreira
Honored Contributor

Re: configuring su to allow non group 0 accounts access

I agree with the use of Division of privileges or SUDO. As Tru64 does not uses PAM, you cannot modify the behaviour of the su utility.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Abar
Occasional Visitor

Re: configuring su to allow non group 0 accounts access

Thanks to both of you for your responses. I had considered configuring dop, however was not sure to what level this can be locked down as well. For example, I would like to allow hwmgr, shutdown, dsfmgr, and an audit_tool script without allowing other powerful commands. Can dop work like this or does something like shutdown fall under a whole range of non-exclusive commands?
Mark Poeschl_2
Honored Contributor

Re: configuring su to allow non group 0 accounts access

I think dop will work for you. You can define specific commands and even switches on those commands to be executable as root in the /etc/doprc file.
Orjan Petersson
Frequent Advisor

Re: configuring su to allow non group 0 accounts access

More information about dop can be found in appendix G of the Tru64 5.1A Security documentation http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/V51A_PDF/ARH95DTE.PDF
For some reason, that section seems to be missing in the 5.1B doc.