- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: su command restiction
Operating System - HP-UX
1751957
Members
5095
Online
108783
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2009 11:18 AM
тАО06-19-2009 11:18 AM
su command restiction
how to restict the specific user for using the su command. [e.g] the user name is cbeny..please let me know.. i have to perform in a server .. Thanks in advance .. points assured
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2009 11:56 AM
тАО06-19-2009 11:56 AM
Re: su command restiction
if "cbeny" knows the password of the "target" user, you can't disable "su".
you could place "cbeny" in a resticted shell, but that may be overkill for what you want to accomplish
you could write a wrapper script for the std "su" that looks at who ran it before doing the real "su"
you could use "sudo", or "PowerBroker"
you could place "cbeny" in a resticted shell, but that may be overkill for what you want to accomplish
you could write a wrapper script for the std "su" that looks at who ran it before doing the real "su"
you could use "sudo", or "PowerBroker"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2009 12:10 PM
тАО06-19-2009 12:10 PM
Re: su command restiction
Hi:
As OldSchool mentions, 'switch-user' or 'su' is password authenticated and a password will be posed everytime unless starting from root and going to a user account. 'root' is not authenticated with 'su', only user accounts are.
If the issue is with 'su - root' from a user account then you can convert to a trusted system and live with those nusances, but I think popularity for trusted systems had really diminished since 10.20 and 11.00.
You can also use the even less popular NIS Plus and get the same root restirctions. But I have yet to find an HP-UX box using NIS Plus. Its very unpopular.
As OldSchool mentions, 'switch-user' or 'su' is password authenticated and a password will be posed everytime unless starting from root and going to a user account. 'root' is not authenticated with 'su', only user accounts are.
If the issue is with 'su - root' from a user account then you can convert to a trusted system and live with those nusances, but I think popularity for trusted systems had really diminished since 10.20 and 11.00.
You can also use the even less popular NIS Plus and get the same root restirctions. But I have yet to find an HP-UX box using NIS Plus. Its very unpopular.
Support Fatherhood - Stop Family Law
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2009 03:43 PM
тАО06-19-2009 03:43 PM
Re: su command restiction
Hello,
Apart from the advice you already got from
others, here are other options:
a) Set option SU_ROOT_GROUP in /etc/default/security and add user "cbeny" if
they are allowed to su(1) to "root".
Or, if you do not want "cbeny" to be able to
su(1) to "root", then make them not be
part of Unix group as defined in SU_ROOT_GROUP.
b) Change permissions on /usr/bin/su (normally 4555, owner root, group bin or
root), to a more restrictive, say 4550:
-r-sr-x--- 1 root sugrp ... /usr/bin/su
Then, create a sugrp in /etc/group. Add
the users that are allowed to run su(1) to
membership of the Unix group sugrp.
c) Finally, think about using
Role Based Access Control.
Cheers,
VK2COT
Apart from the advice you already got from
others, here are other options:
a) Set option SU_ROOT_GROUP in /etc/default/security and add user "cbeny" if
they are allowed to su(1) to "root".
Or, if you do not want "cbeny" to be able to
su(1) to "root", then make them not be
part of Unix group as defined in SU_ROOT_GROUP.
b) Change permissions on /usr/bin/su (normally 4555, owner root, group bin or
root), to a more restrictive, say 4550:
-r-sr-x--- 1 root sugrp ... /usr/bin/su
Then, create a sugrp in /etc/group. Add
the users that are allowed to run su(1) to
membership of the Unix group sugrp.
c) Finally, think about using
Role Based Access Control.
Cheers,
VK2COT
VK2COT - Dusan Baljevic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2009 06:41 PM
тАО06-19-2009 06:41 PM
Re: su command restiction
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1349273
Support Fatherhood - Stop Family Law
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP