Re: Restrict who can su to root?

Peggy Fong · ‎02-14-2001

I have one root/uid 0 account. /etc/securetty is set up so root can only directly login at the console. The system is trusted and I have restricted SAM setup for some users to do passwd/user administration. Is there some way to allow/deny users from using su to root if they got the passwd. Something like an su.allow file (kind of like cron.allow)

I haven't read, heard or found anything of the sort? We will monitor the sulog file but it would be nice to say who is allowed to su to root.
Any input would be greatly appreciated. I am new to the forum - but I will give points, just haven't asked many questions yet :)
Peg

Patrick Wallek · ‎02-14-2001

Peggy,

There is now way that I know of to restrict the su capability that is native to HP-UX. The easiest thing that comes to mind is just not giving out the password. If you don't want them to do a 'su -' then why give them the password?

Another option you have though is to use the product called 'sudo'. You can get it from the HP-UX Porting center. Here is a link to it:
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.2b1/

Sudo allows you to set people up with the capability to run things with root capability without having to give out the root password or give out full 'su -' access.

Peggy Fong · ‎02-14-2001

Thank you for the reply. I am only a consultant and do not give out root. But I just thought it interesting that we (HP-UX) have a cron.allow, cron.deny, at.allow, at.deny to control who can use cron but not something similar for root just in case the root passwd gets out. This will not be a big issue - we will also be using sudo (already have it compiled and installed). Just checking the market. I thought somewhere in my past on another platform in the dark ages that there was actually a su.allow file (but I'm probably making that up.
Thanks again.

Jason VanDerMark · ‎02-14-2001

I would suggest against getting the version of sudo that is on the hp-ux port site. It has a few bugs under 11.x (especially inability to use PAM) it has been fixed in the newest release(1.6.3p5) The build instructions are fairly easy and can be found on the following website:

http://www.courtesan.com/sudo

Good luck,
Jason V.

Tie two birds together, eventhough they have four wings, they cannot fly.

Peggy Fong · ‎02-14-2001

Jason,
Thanks. I did use that site since it is considered the authoritative site for sudo. Our system is actually in really good shape security-wise. You would not believe all the services that have been turned off on these systems.

I was just hoping and dreaming of an su.allow file :) just like I'm hoping someone will answer my question on how to really make sense of trusted audit logs :)

Rick Garland · ‎02-14-2001

sudo is a way to limit who has root access. In the sudoers file you can have something like the line below to prevent root access;

Cmnd_Alias SU=/usr/bin/su, !/usr/bin/su *root*, !/usr/bin/su "",!/usr/bin/su -

Also, I have put in something for rlogin as well. If you are root one one system and do rlogin to another system, you are root on the other system as well.

The above Cmnd_Alias will prevent specified users from becoming UID=0 unless they are in the sudoers file as having the rights to UID=0.

Peggy Fong · ‎02-14-2001

Rick,
Thank you for wading through my fixation on su.allow (and thanks to others to for pointing to sudo). That is exactly what I need - have never use sudo in that manner but you have answered my question!

Thanks again everyone....what a great group.

Peg

Chris Garman · ‎02-21-2001

Hi,

One way to restrict who can su root is to take world permission off the su binary, and create a group of people allowed to run su. The only problem is this will stop people su-ing between normal accounts unless they are in the group.

Chris

Paula J Frazer-Campbell · ‎02-21-2001

Hi Peggy
Create a file in /usr/sbin/su
with :-
----------CUT HERE-------------
if [ `id|cut -c5-11` != "0(root)" ]
then
echo "Sorry"
echo "Root user only\n"
exit 1
fi
/usr/bin/su
----------CUT HERE------------

As /usr/sbin is earlier in the path then a user will pick up the /usr/sbin version of su and if the user is not root the the real su command will not be presented.

I use a version of this to prevent top being run by users other that root.

Just an idea

Paula

If you can spell SysAdmin then you is one - anon

Jim Hendrick · ‎04-04-2001

I think you refer to the "wheel" group on the ld SunOS 4 platform. If the wheel group existed, only its members could "su" to root.

As someone mentioned.

chgrp wheel /usr/bin/su;
chmod o-rwx /usr/bin/su

is a substitute.

Jim

Andrew Cowan · ‎04-30-2001

I have created a script that uses a database of users. It basically replaces the su with a script that checks a database first. The advantage of doing it this way is that I can create rules e.g. andrew can su to fred but not Oracle.....

I wrote this for a bank and so probably can't publish it, but if you are interested in how I did it, then please let me know.

Thierry Poels_1 · ‎05-01-2001

hi,
the best script/program/tool limiting su to root I can think of is:
passwd
Thierry ;-)

All unix flavours are exactly the same . . . . . . . . . . for end users anyway.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Restrict who can su to root?

Restrict who can su to root?