HPE Community
Operating System - HP-UX
1847461 Members
3390 Online
110265 Solutions
New Discussion

How do I force users to su to a non-root account?

 
SOLVED
Go to solution
DAN HENDERSON
New Member

‎12-04-2001 08:47 AM

‎12-04-2001 08:47 AM

How do I force users to su to a non-root account?


I have an account (non-root) that I want to force users to "su" to. Is that possible?

Thanks ...

0 Kudos
Reply
15 REPLIES 15
Craig Rants
Honored Contributor

‎12-04-2001 08:49 AM

‎12-04-2001 08:49 AM

Re: How do I force users to su to a non-root account?

Try making their shell /usr/bin/su - userid.

Good Luck,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎12-04-2001 08:51 AM

‎12-04-2001 08:51 AM

Re: How do I force users to su to a non-root account?

Hi,

This would be possible if you create(incase you don't have one) a file in /etc/securetty
add an entry called console in that.

This would only allow su to all the users if they want to root access

Goodluck
-USA..
Good Luck..
0 Kudos
Reply
Justo Exposito
Esteemed Contributor

‎12-04-2001 08:53 AM

‎12-04-2001 08:53 AM

Re: How do I force users to su to a non-root account?

Hi Dan,

Try:
su - username
exit
in the last 2 lines of the .profile file of the user.

Regards,
Justo.
Help is a Beatiful word
0 Kudos
Reply
Craig Rants
Honored Contributor

‎12-04-2001 08:56 AM

‎12-04-2001 08:56 AM

Re: How do I force users to su to a non-root account?

Justo,
If it was in their .profile, the user could Cntl-C out of the su, granted they are not a novice. Making it their shell gives them no option.

Uday,
The console entry in /etc/securetty only allows root logins from telnet and rlogin at the console, it does not affect other users.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎12-04-2001 08:59 AM

‎12-04-2001 08:59 AM

Re: How do I force users to su to a non-root account?

Sorry, I misunderstood your question.. Thanks to Craig for correcting it.
Good Luck..
0 Kudos
Reply
Justo Exposito
Esteemed Contributor

‎12-04-2001 09:03 AM

‎12-04-2001 09:03 AM

Re: How do I force users to su to a non-root account?

hi,

Yes, Craig you are ok. But you can use stty command in the .profile to lock the contol-C, and you can develop with shell a menu to access the system with many options.

Regards,
Justo.
Help is a Beatiful word
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎12-04-2001 09:04 AM

‎12-04-2001 09:04 AM

Solution

Re: How do I force users to su to a non-root account?

If you mean, like a DBA, who has to log in under his *own* account before he can su to oracle... This has come up several times before... see the attached link:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7924cbaac6dcd5118ff40090279cd0f9,00.html

I am an HPE Employee
Accept or Kudo
Reply
Craig Rants
Honored Contributor

‎12-04-2001 09:04 AM

‎12-04-2001 09:04 AM

Re: How do I force users to su to a non-root account?

I can't even write today.

/etc/securetty with an entry of console disallows telnet and rlogin attempts as root, root can only login on the console.

Geez, was that so hard.

Sorry for my giberish,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Craig Rants
Honored Contributor

‎12-04-2001 09:06 AM

‎12-04-2001 09:06 AM

Re: How do I force users to su to a non-root account?

Justo,
Yes you are right, forgot about that option.
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Tim D Fulford
Honored Contributor

‎12-04-2001 09:12 AM

‎12-04-2001 09:12 AM

Re: How do I force users to su to a non-root account?

Dan

This does not seem to be in line with the answers given above! However, I think this is what you want.

if you have a generic non-root user account, say informix you obviously do not want users to directly telnet or rlogin into those accouts as there is no audit trail. In effect you want a /etc/securetty for regular users (I think). I do not know of such a beast. However, if in the .profile of informix you put

wai=$(/usr/bin/logname)
if [ $wai = informix ]
then
echo "Access denied, use su - user"
exec sleep 5
exit
fi

Obviously these files cannot be owned by informix so make them owned by root & readable
# chmod 440 ~informix/.profile
OR
# chmod 444 ~informix/.profile
# chown root:informix ~informix/.profile

Tim
-
Reply
Bernie Vande Griend
Respected Contributor

‎12-04-2001 09:21 AM

‎12-04-2001 09:21 AM

Re: How do I force users to su to a non-root account?

Dan,
can you clarify the question? Do you want users to automatically su to that account when they login?
Or do you want that non-root account to only be used by "su" to it, instead of direct login? An example would be a database generic account such as "oracle" or "sybase". Can't think of a great way for the first scenario. For the second, I've accomplished that by modified /etc/profile in the same way that Tim suggests doing in a local .profile. Either way will work, but I prefer /etc/profile as it makes it a bit easier to administer.
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎12-04-2001 09:23 AM

‎12-04-2001 09:23 AM

Re: How do I force users to su to a non-root account?

Hi Dan,

There is no HPUX mechanism such as securetty for non-root accounts. I believe you will have to put edits in /etc/profile to do what you want (or /etc/csh.login if a csh account).

You may try putting the edits in the account's .profile but you would have to put sticky bit on the directory, chown the directory to root, and generally a bunch of stuff that makes life more difficult for that account.

There's a number of threads along this line in the forums. My best search results are from search.hp.com on something like: +login +su +restrict

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

‎12-04-2001 09:24 AM

‎12-04-2001 09:24 AM

Re: How do I force users to su to a non-root account?

Tim,

The code is good, but you can't protect anything that goes in a users .profile....

Remember that the user 'informix' owns it home directory, so they can delete any file in there. If I was the informix DBA, and the code you'd added was annoying me I'd do this:

cp .profile .profile.new
< remove those annoying lines in .profile.new>
rm -f .profile
mv .profile.new .profile

So to stop this you must add the code to /etc/profile, which is also run at login, but the user *can't* edit or change

HTH

Duncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
Craig Rants
Honored Contributor

‎12-04-2001 12:21 PM

‎12-04-2001 12:21 PM

Re: How do I force users to su to a non-root account?

Ok, so the question is you want an account that users cannot login as, but can su to. Guess I missed the intent.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.