Re: restricting root from 'su -' to a specific user

Steven Buschman_3 · ‎02-28-2003

Unusual request...
We have a system which a large number have (and need) root access to, and want to restrict many of those people from being able to do 'su - username' where "username" is one specific user. I realize this essentially means "username" is higher security than root, but that is what I want and need.
Currently, sudo or any other form of "controlled access" is not implemented.

Has anyone else done this?
Thoughts/ideas?
TIA,
Steven

Pete Randall · ‎02-28-2003

Steven,

That's like asking how to restrict someone who's all powerful. I don't think you can accomplish what you seek.

Pete

Pete

Helen French · ‎02-28-2003

You can use 'sudo' for doing this task. But a NON HP supported solution can be found from here TKB #A5916408:

http://support2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000063234948

Life is a promise, fulfill it!

Steven E. Protter · ‎02-28-2003

Then you have a security issue with how you have set up your machine.

Individual apps, like oracle and whatnot should have less powerful users that own the application and files, and handle startup and shutdown.

root needs the ability to su - to other users. Its essential to the way the OS works internally.

If you figured out how to disable it, you'd have no system when you were done.

sudo is a great way around this issue.

In an ideal security environment, nobody, not even operations should need root password. Restricted sam, and other good tools would let them do their jobs without root access.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Jose Mosquera · ‎02-28-2003

Hi,

In your /etc/default/security file define:
SU_ROOT_GROUP=

then in your /etc/group file define:
:::root, user1, user2

In this case, only these users have "su" capabilities.

Rgds.

Shannon Petry · ‎02-28-2003

There is yet another alternative. But it takes a bit of abstract thought to see ;)

If you dont already have a /usr/local/bin in your users path, get it in as the first entry seen.

Make your own script or program su, and have it do what ever you want. Make sure that users who need the hybred su are accessing /usr/local/bin in their path FIRST, and it will be used first. It does not impact anything that looks elsewhere first for su.

Regards,
Shannon

Microsoft. When do you want a virus today?

Steven Buschman_3 · ‎02-28-2003

Thanks to all for the brainstorming.
As I mentioned, root access on this system is essential without implementing a true security scheme, which can't happen on this 1 system because of what it is used for internally. I'm going to investigate sudo more closely to make sure, and if anyone has any other ideas I'm still open minded. But su to root AND as their user is and will be required, realizing the security issue.

Hmmmmmm, maybe putting the few files we need to protect on an NFS server that is root secure, with root only write access and giving the few people required with 'username' access.

Thanks again for the ideas, past and future!
Steven

Sridhar Bhaskarla · ‎02-28-2003

Hi,

In a nut shell what Pete mentioned is correct. You are trying to restrict the superusers here. Even if you put a wrapper script, you cannot do it because they can always execute the original program.

SUDO will not either is not a direct solution for your problem. You can control the users to use SUDO to accomplish their work instead of su'ing to root.

So with the default setup, you cannot do it.

However, there are softwares like eTrust access control that can accomplish what exactly you mentioned. You can even control root. For ex., you can set rules such that root cannot execute password command whereas an ordinary user can. If you can afford to purchasing and implementing this product, here is more information.

http://www.astrom.se/etrust-ac/index.shtml.en

There are other softwares like powerbroker that can do the job too. But I haven't worked on them.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Rajeev Shukla · ‎02-28-2003

Hi Steven,
I got a very simple solution for you. Move the /usr/bin/su to some other place say /usr/contrib/bin/mysu and then write a c program something like this

#include
#include
#include
#define APUID 0

main(argc,argv)
int argc;
int *argv[];
{

int uid;
char *command=(char *)malloc(2048);

uid=getuid();
if ( uid != APUID ) {
printf ("1:User not authorised \n");
exit(1);
}

strcpy(command,"/usr/contrib/bin/mysu");
if ( system(command) !=0 ) {
printf("1:Failed to do su\n");
exit(1);
}
}

some modification might be required as per u'r needs.

Rajeev

Rajeev Shukla · ‎02-28-2003

I am sorry just a small(but big) change
please change
if ( uid != APUID )
to
if ( uid = APUID )

Rajeev

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: restricting root from 'su -' to a specific user

restricting root from 'su -' to a specific user