HPE Community
Operating System - HP-UX
1833323 Members
3035 Online
110051 Solutions
New Discussion

How to restrict the su access.

 
prasathc_1
Frequent Advisor

‎01-30-2003 05:09 AM

‎01-30-2003 05:09 AM

How to restrict the su access.

Hi All

I have a problem here like. I am using NIS domain. User machines and test lab configure under in this domain. All the users home dirs are exported with exportfs command
so that he/she can able to mount his/her home dir anywhere. In this situation
i login to a test machine as root, then put

1) cd ~mike ==> entering the mike home dir.
2) su mike ==> now i am mike and i can able to do delete,create file in mike home dir but i am not the particular user. In this case how can i restrict the su access or how can i moniter the su access apart from su access caz sulog also can be delete.

Can anybody help me in this reagrds.

Thanks in Advance
Prasath C
If u fail to plan, U plan to fail
0 Kudos
Reply
4 REPLIES 4
Steve Steel
Honored Contributor

‎01-30-2003 05:23 AM

‎01-30-2003 05:23 AM

Re: How to restrict the su access.

Hi

See manlogin

text is wrong

If the /etc/securetty file is present, login security is in effect.
Only user root is allowed to log in successfully on the ttys listed in
this file. Restricted ttys are listed by device name, one per line.
Valid tty names are dependent on installation. An example is

console
tty01
ttya1
etc.

Note that this feature does not inhibit a normal user from using the
su command (see su(1)).



Really user root is only allowed to login to the ttys listed.

make with console and root can only login to the console.


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-30-2003 11:50 AM

‎01-30-2003 11:50 AM

Re: How to restrict the su access.

Regarding su mike
NEVER use su without the - option! su mike presents an unstable environment, leftover from the previous user, whereasa su - mike performs a complete login profile.

Also, sulog cannot be deleted unless the directory permissions on /var and /adm are bad which means you already have a security problem.

su access is easy to control. DON'T give out passwords and change them instantly when a problem is discovered.


Bill Hassell, sysadmin
0 Kudos
Reply
Jordan Bean
Honored Contributor

‎01-30-2003 02:26 PM

‎01-30-2003 02:26 PM

Re: How to restrict the su access.


You can also restrict `su - root` to a single group defined in /etc/group (eg adm). Add this line to /etc/default/security:

SU_ROOT_GROUP=groupname



0 Kudos
Reply
Wodisch
Honored Contributor

‎01-30-2003 03:31 PM

‎01-30-2003 03:31 PM

Re: How to restrict the su access.

Hi,

why not get rid of "su" completely and use "sudo"?

FWIW,
Wodisch
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.