Showing results for 
Search instead for 
Did you mean: 

su command restiction

Regular Advisor

su command restiction

how to restict the specific user for using the su command. [e.g] the user name is cbeny..please let me know.. i have to perform in a server .. Thanks in advance .. points assured
Honored Contributor

Re: su command restiction

if "cbeny" knows the password of the "target" user, you can't disable "su".

you could place "cbeny" in a resticted shell, but that may be overkill for what you want to accomplish

you could write a wrapper script for the std "su" that looks at who ran it before doing the real "su"

you could use "sudo", or "PowerBroker"
Michael Steele_2
Honored Contributor

Re: su command restiction


As OldSchool mentions, 'switch-user' or 'su' is password authenticated and a password will be posed everytime unless starting from root and going to a user account. 'root' is not authenticated with 'su', only user accounts are.

If the issue is with 'su - root' from a user account then you can convert to a trusted system and live with those nusances, but I think popularity for trusted systems had really diminished since 10.20 and 11.00.

You can also use the even less popular NIS Plus and get the same root restirctions. But I have yet to find an HP-UX box using NIS Plus. Its very unpopular.
Support Fatherhood - Stop Family Law
Honored Contributor

Re: su command restiction


Apart from the advice you already got from
others, here are other options:

a) Set option SU_ROOT_GROUP in /etc/default/security and add user "cbeny" if
they are allowed to su(1) to "root".

Or, if you do not want "cbeny" to be able to
su(1) to "root", then make them not be
part of Unix group as defined in SU_ROOT_GROUP.

b) Change permissions on /usr/bin/su (normally 4555, owner root, group bin or
root), to a more restrictive, say 4550:

-r-sr-x--- 1 root sugrp ... /usr/bin/su

Then, create a sugrp in /etc/group. Add
the users that are allowed to run su(1) to
membership of the Unix group sugrp.

c) Finally, think about using
Role Based Access Control.


VK2COT - Dusan Baljevic
Michael Steele_2
Honored Contributor

Re: su command restiction