HPE Community
Operating System - HP-UX
1829197 Members
2703 Online
109986 Solutions
New Discussion

su command restiction

 
gany59
Regular Advisor

‎06-19-2009 11:18 AM

‎06-19-2009 11:18 AM

su command restiction

how to restict the specific user for using the su command. [e.g] the user name is cbeny..please let me know.. i have to perform in a server .. Thanks in advance .. points assured
0 Kudos
Reply
4 REPLIES 4
OldSchool
Honored Contributor

‎06-19-2009 11:56 AM

‎06-19-2009 11:56 AM

Re: su command restiction

if "cbeny" knows the password of the "target" user, you can't disable "su".

you could place "cbeny" in a resticted shell, but that may be overkill for what you want to accomplish

you could write a wrapper script for the std "su" that looks at who ran it before doing the real "su"

you could use "sudo", or "PowerBroker"
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎06-19-2009 12:10 PM

‎06-19-2009 12:10 PM

Re: su command restiction

Hi:

As OldSchool mentions, 'switch-user' or 'su' is password authenticated and a password will be posed everytime unless starting from root and going to a user account. 'root' is not authenticated with 'su', only user accounts are.

If the issue is with 'su - root' from a user account then you can convert to a trusted system and live with those nusances, but I think popularity for trusted systems had really diminished since 10.20 and 11.00.

You can also use the even less popular NIS Plus and get the same root restirctions. But I have yet to find an HP-UX box using NIS Plus. Its very unpopular.
Support Fatherhood - Stop Family Law
0 Kudos
Reply
VK2COT
Honored Contributor

‎06-19-2009 03:43 PM

‎06-19-2009 03:43 PM

Re: su command restiction

Hello,

Apart from the advice you already got from
others, here are other options:

a) Set option SU_ROOT_GROUP in /etc/default/security and add user "cbeny" if
they are allowed to su(1) to "root".

Or, if you do not want "cbeny" to be able to
su(1) to "root", then make them not be
part of Unix group as defined in SU_ROOT_GROUP.

b) Change permissions on /usr/bin/su (normally 4555, owner root, group bin or
root), to a more restrictive, say 4550:

-r-sr-x--- 1 root sugrp ... /usr/bin/su

Then, create a sugrp in /etc/group. Add
the users that are allowed to run su(1) to
membership of the Unix group sugrp.

c) Finally, think about using
Role Based Access Control.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎06-19-2009 06:41 PM

‎06-19-2009 06:41 PM

Re: su command restiction

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1349273
Support Fatherhood - Stop Family Law
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.