HPE Community
Operating System - HP-UX
1832913 Members
2570 Online
110048 Solutions
New Discussion

how to deny su from regular unix account

 
Frank de Vries
Respected Contributor

‎10-30-2002 12:43 AM

‎10-30-2002 12:43 AM

how to deny su from regular unix account

I would like to deny certain accounts
to do su or su - , is their some mechanism
I can use like su.deny and how to do implement
that ?
Look before you leap
0 Kudos
Reply
9 REPLIES 9
John Palmer
Honored Contributor

‎10-30-2002 12:55 AM

‎10-30-2002 12:55 AM

Re: how to deny su from regular unix account

Hi,

There isn't a facility like su.deny. Prevention of su relies on the user not knowing the other account's password.

If they do know the password then there's nothing to prevent them logging in as that user anyway so I'm not sure what you're trying to achieve.

Depending on circumstances, it may be possible to replace su with a script which checks various things before calling the proper su.

Regards,
John
0 Kudos
Reply
Frank de Vries
Respected Contributor

‎10-30-2002 01:02 AM

‎10-30-2002 01:02 AM

Re: how to deny su from regular unix account

I have fixed a menu on a particular account,
but that means you must be faced with a login prompt. Unfortunetaly it is possible to bypass the menu when login in with su username and provide the known password, as this does not
load the environment the user gets a prompt
instead of a menu. I would like to close this
gap if poss. Any ideas.
Look before you leap
0 Kudos
Reply
Clemens van Everdingen
Honored Contributor

‎10-30-2002 01:02 AM

‎10-30-2002 01:02 AM

Re: how to deny su from regular unix account

Hi,

There is no way to do that. Except for not giving the root password.

Use sudo for this.

You will find the latest version here:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.6/

With sudo you are able to give certain users the possibility to do things as root, and deny this to other users.

C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
0 Kudos
Reply
Tom Geudens
Honored Contributor

‎10-30-2002 01:06 AM

‎10-30-2002 01:06 AM

Re: how to deny su from regular unix account

Hi Frank,
There is no easy way to do this. A couple of suggestions can be found in the following thread : http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xaf7e37f45ef7d4118fef0090279cd0f9,00.html

Note that there is a logfile /var/adm/sulog. It might not be possible to disable su, but it is definitely possible to log (and take action on) the use of su.

Hope this helps,
Tom
A life ? Cool ! Where can I download one of those from ?
0 Kudos
Reply
Clemens van Everdingen
Honored Contributor

‎10-30-2002 01:06 AM

‎10-30-2002 01:06 AM

Re: how to deny su from regular unix account

Hi Frank,

Read this thread before installing the sudo version I mentioned.
There is a small installation problem with this depot.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xbe485c7609e9d61190050090279cd0f9,00.html

C.
The computer is a great invention, there are as many mistakes as ever, but they are nobody's fault !
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎10-30-2002 01:07 AM

‎10-30-2002 01:07 AM

Re: how to deny su from regular unix account

Hi Frank

Su default permissions is :-

-r-sr-xr-x

If you change permisions and remove the execute then su can be controled, but it will be system wide.

Best is to do a system wide password change and keep the passwords away from the users you wish to control.


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Ian Box
Advisor

‎10-30-2002 01:15 AM

‎10-30-2002 01:15 AM

Re: how to deny su from regular unix account

On some of our machines we've restricted use of the su command by altering its group. We add certain users to that group, and change the mode on the command to -r-s--x---

This, together with checking sulog, allows to keep track of who is su-ing.


Ian
0 Kudos
Reply
Victor Ciurus
Occasional Advisor

‎10-30-2002 01:16 AM

‎10-30-2002 01:16 AM

Re: how to deny su from regular unix account

You could actually change the group to su command and make the users you want to be able to 'su' a part of this new group. Just pay attention to what chaging group on users might bring!

Regards,
Vic
I was born intelligent! Education ruined me.
0 Kudos
Reply
George Morrison
Frequent Advisor

‎10-31-2002 05:57 AM

‎10-31-2002 05:57 AM

Re: how to deny su from regular unix account

Actually this is really realy easy. In 11i and a patched version of 11.0, there is a setting in /etc/default/security (man security for details) called SU_ROOT_GROUP. Create a standard group in /etc/group and add to it the accounts that you want to ALLOW su access to. The name this group in the security file:

# grep su /etc/group
sugrp::###:acct1,acct2

# cat /etc/default/security
SU_ROOT_GROUP=sugrp

Any attempt to use su by a user who is not in the su group will get a message and access will be denied.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.