HPE Community
Operating System - HP-UX
1825766 Members
2074 Online
109687 Solutions
New Discussion

restrict "su" access

 
wish_1
Frequent Advisor

‎02-23-2008 02:16 PM

‎02-23-2008 02:16 PM

restrict "su" access

Hi all,

We need to restrict "su" access such that it should not be possible to su to normal ( unprivileged ) user accounts. For eg.. su to root should be possible but su to mickey should not be possible.

Thanks in adv.

Regards,
Wish
0 Kudos
Reply
5 REPLIES 5
Vamsidin
Frequent Advisor

‎02-23-2008 03:29 PM

‎02-23-2008 03:29 PM

Re: restrict "su" access

create the file /etc/securetty with the single word console as its contents. This prevents root access unless you are sitting at the console or are using su.

Finally, create a file called /etc/default containing the following lines:

ABORT_LOGIN_ON_MISSING_HOMEDIR=1
NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=3

This prevents users from logging into the machine if they don't have a home directory defined in /etc/passwd and will prevent a user from logging in with more than three concurrent sessions.
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎02-23-2008 03:57 PM

‎02-23-2008 03:57 PM

Re: restrict "su" access

Restricting the "su" command is not going to stop the root user from accessing any normal user accounts. Consider this:

$ su
...user becomes root...
# cp /usr/bin/sh /tmp/mickeysh
# chown mickey /tmp/mickeysh
# chmod 4700 /tmp/mickeysh
# /tmp/mickeysh
$ /usr/bin/sh
$ whoami
mickey

Your problem might benefit from a different approach:

1.) Find out which routine tasks require root privileges

2.) Design and implement ways to perform those tasks without root access. For this, you can use standard UNIX file permissions, group memberships and/or tools like Restricted SAM, sudo or HP RBAC.

(This can actually make those routine tasks *easier* for the authorized people, if your design is good. That will make your people *want* to use the new ways after a while.)

3.) When you've reached the point that root access is required only very rarely, change the root password. Treat the new password like the master key of your main office/factory/whatever.

4.) For any new systems, start doing steps 1) and 2) when the system is still in design phase. It's much easier that way, and allows you to notice any potential problem spots while they can still be changed.

MK
MK
0 Kudos
Reply
Jennifer Lynn
New Member

‎02-23-2008 04:35 PM

‎02-23-2008 04:35 PM

Re: restrict "su" access

From the replies, I'm not sure what you need
but if someone needs to be root to do a task
just set up sudoers to let them run whatever script they need to run

User_Alias ROOTCMD = users,placed,here

Cmnd_Alias MYCMD = /path/to/some/script

ROOTCMD ALL = (root) MYCMD
0 Kudos
Reply
wish_1
Frequent Advisor

‎02-24-2008 11:35 AM

‎02-24-2008 11:35 AM

Re: restrict "su" access

We want to restrict su in between the users
(like normal users = a,b,c
a should not able to su - b / su - c vise-vers)

Regds,
Wish
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-24-2008 03:18 PM

‎02-24-2008 03:18 PM

Re: restrict "su" access

If a person is logged in as user a, then they can NOT do an 'su - b' or 'su - c' unless they know the password for users b and/or c. The most effective way to prevent that is strict password control. If the users don't need to know the password for other users don't tell them.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.