System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

disabling su ability to root

JOHN TURNER_2
Frequent Advisor

disabling su ability to root

hi

i have just recieved some findings from an audit, and i have to disable the ability to su - root from all users on the system, and the only way the users can run root commands is via sudo. I already have sudo installed and configured, but need to disable the su ability, has anyone got any hints and tips on how to do this. I have already set up the /etc/securetty file with console in it

cheers in advance

john
GUI's are for wimps!
5 REPLIES
Patrick Wallek
Honored Contributor

Re: disabling su ability to root

If you are just talking about someone doing:

$ su - root

then they will not be successful if they do not know the root password. Make sure no one except administrators knows the root password.

If you are talking about someone doing:

$ sudo su - root

then you can add a line in your sudoers file to forbid this.

Set up a CMND_ALIAS like:

Cmnd_Alias NOSU=!/usr/bin/su root, !/usr/bin/su -, !/usr/bin/su - root

Then just assign the NOSU cmnd_alias to your users.
UVK
Trusted Contributor

Re: disabling su ability to root

Check for /etc/security/user file that will should give you the answer

You can disable su for anyone by just adding su=false.

-uvk
-------------------------------------------
Like it or worked !! Click kudos !!
Bill Hassell
Honored Contributor

Re: disabling su ability to root

> Check for /etc/security/user file that will should give you the answer

I believe that this is an AIX feature. In HP-UX, a similar file is called /etc/default/security. The man page for security gives the options but none exist to defeat the su command.

As mentioned, su will not do anything if the user does not have the password. You can also disable su completely by renaming the executable but this will likely break scripts that su to other users. Do not give out the root password.


Bill Hassell, sysadmin
Steven E. Protter
Exalted Contributor

Re: disabling su ability to root

Shalom,

If there is root password security, su - root need not be disabled.

People will not be able to log in to root. After this, watch the logs, its a policy issue and the users trying to log onto root need to be dealt with. Its not an IT issue.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Mark Fenton
Esteemed Contributor

Re: disabling su ability to root

I really don't think this is possible, or particularly desireable. I would think it sufficient to restrict direct root login to the console as you have done, and controlling access to the root password.
As an additional measure, I suppose you could restrict use of su to a particular group (in etc/default/security file you would add SU_ROOT_GROUP=wheel) to prevent casual attempts at running it.