- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- su command restiction
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 11:18 AM
06-19-2009 11:18 AM
su command restiction
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 11:56 AM
06-19-2009 11:56 AM
Re: su command restiction
you could place "cbeny" in a resticted shell, but that may be overkill for what you want to accomplish
you could write a wrapper script for the std "su" that looks at who ran it before doing the real "su"
you could use "sudo", or "PowerBroker"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 12:10 PM
06-19-2009 12:10 PM
Re: su command restiction
As OldSchool mentions, 'switch-user' or 'su' is password authenticated and a password will be posed everytime unless starting from root and going to a user account. 'root' is not authenticated with 'su', only user accounts are.
If the issue is with 'su - root' from a user account then you can convert to a trusted system and live with those nusances, but I think popularity for trusted systems had really diminished since 10.20 and 11.00.
You can also use the even less popular NIS Plus and get the same root restirctions. But I have yet to find an HP-UX box using NIS Plus. Its very unpopular.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 03:43 PM
06-19-2009 03:43 PM
Re: su command restiction
Apart from the advice you already got from
others, here are other options:
a) Set option SU_ROOT_GROUP in /etc/default/security and add user "cbeny" if
they are allowed to su(1) to "root".
Or, if you do not want "cbeny" to be able to
su(1) to "root", then make them not be
part of Unix group as defined in SU_ROOT_GROUP.
b) Change permissions on /usr/bin/su (normally 4555, owner root, group bin or
root), to a more restrictive, say 4550:
-r-sr-x--- 1 root sugrp ... /usr/bin/su
Then, create a sugrp in /etc/group. Add
the users that are allowed to run su(1) to
membership of the Unix group sugrp.
c) Finally, think about using
Role Based Access Control.
Cheers,
VK2COT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 06:41 PM
06-19-2009 06:41 PM