HPE Community
Operating System - HP-UX
1834142 Members
2300 Online
110064 Solutions
New Discussion

Re: Prevent direct login using 'su - commonlogin' and not just 'su commonlogin'

 
Saras_1
New Member

‎01-10-2006 06:10 PM

‎01-10-2006 06:10 PM

Prevent direct login using 'su - commonlogin' and not just 'su commonlogin'

I want to prevent users using a common login directly. I went thro' the informations given in "Subject: How can I prevent user to login directly to a generic account?" I tried to implement couple of them. But end of it I could only do a 'su commonlogin' and not 'su - commonlogin'. Can Someone give me a solution. My advance and sincere thanks.
0 Kudos
Reply
5 REPLIES 5
Muthukumar_5
Honored Contributor

‎01-10-2006 06:36 PM

‎01-10-2006 06:36 PM

Re: Prevent direct login using 'su - commonlogin' and not just 'su commonlogin'

Simple way is to write a shell wrapperwith /usr/bin/su as,

a) move /usr/bin/su to /usr/bin/suorg
b) shell wrapper

echo $* | grep -q 'username'
if [[ $? -eq 0 ]]
then
echo "SU: Login is denied"
else
/usr/bin/suorg $*
fi

--
Muthu

Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎01-10-2006 06:44 PM

‎01-10-2006 06:44 PM

Re: Prevent direct login using 'su - commonlogin' and not just 'su commonlogin'

Do you want to block both of su logins to commonlogin or su - to commonlogin.

Can you please revert with details.

--
Muthu
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Frank de Vries
Respected Contributor

‎01-10-2006 08:18 PM

‎01-10-2006 08:18 PM

Re: Prevent direct login using 'su - commonlogin' and not just 'su commonlogin'

We have installed sudo ,
and via the the configuration file I control
who can su to which account.
Otherwise it will be denied.

if you do not want to go to the trouble
of sudo, then why not take the permissions
of the su executable, you will get something like this

#su - opera
#ksh: su: cannot execute


Look before you leap
0 Kudos
Reply
Saras_1
New Member

‎01-11-2006 01:15 PM

‎01-11-2006 01:15 PM

Re: Prevent direct login using 'su - commonlogin' and not just 'su commonlogin'

Muthu & Frank,

Thanks for the imm. response. I really wonder if I have made my requirement clear. There are few admins in our dept. I'm the primary person for sybase but now all are using the same login say 'Sybase' incase they need to do some secondary support during my absence. If there is any crisis there isn't any way to find out who is responsible for the same. So I have created induvidual login for each of them. As they are used to login 'sybase', still they tend to use the same. I just want to make sure they can login as sybase only after they login with their induvidual login. Being a production system I cannot take any major step for now. Advise me if there is any risk free method.
0 Kudos
Reply
RAC_1
Honored Contributor

‎01-11-2006 01:33 PM

‎01-11-2006 01:33 PM

Re: Prevent direct login using 'su - commonlogin' and not just 'su commonlogin'

I think what you need to do would be as follows.
Do you have ssh (hp ssh) on system? It has tcp wrappers built in.
Prepare /etc/hosts.deny file to deny telnet/ssh directly to that user.

User will still be able to do "su - sybase/su sybase"
There is no substitute to HARDWORK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.