1833730 Members
2392 Online
110063 Solutions
New Discussion

Re: restricting su

 
SOLVED
Go to solution
Rainer von Bongartz
Honored Contributor

restricting su

Is there any way to restrict the su command .

I want to allow
su - user1
but
su - user2
should be denied.

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
8 REPLIES 8
Stefan Farrelly
Honored Contributor

Re: restricting su

You will have to replace the su binary with a script which checks for who you are trying to su to then allows or disallows it.
Im from Palmerston North, New Zealand, but somehow ended up in London...
Thierry Poels_1
Honored Contributor

Re: restricting su

Hi,

for non-root users this is easy : keep user2's password secret ;-)

for root : you could test in user2's .profile on 'who am i' which still reflects the original user.
But 'su user2' (without the minus) will pass this again :(

good luck,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
David_246
Trusted Contributor

Re: restricting su

Sorry, I don't agree.
I think there is only one way (when not using an external produkt) to solve this. Current permissions are :
-r-sr-xr-x 1 root root 24576 Aug 6 1998 /usr/bin/su

change them to :
-r-sr-x--- 1 root sugroup 24576 Aug 6 1998 /usr/bin/su

Now you create a sugroup in the /etc/group. Make the members that are allowed to examine su member of the group sugroup.

Regs David
@yourservice
Rainer von Bongartz
Honored Contributor

Re: restricting su

Hi guys,

I do not want to restrict the use of su (any user is allowed to use it) but I need to restrict the target user called by su. There is a list of users which are only allowed to do a regular login, the use of su to gain this users priviliges is not allowed. (Of course this is a demand from our audit people so let's not debate about the sense of this demand)

Regards
Rainer


He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Stefan Farrelly
Honored Contributor

Re: restricting su

Ive not heard of auditing requiring this before. Ive heard many times of them requiring an audit trail of who uses the su command. This is easier as all you need to do is switch on accounting and select the su system call so you can log processes which use it. Then, just in case, you can backtrack and see who used su in the event of a problem.
Im from Palmerston North, New Zealand, but somehow ended up in London...
Brian Bergstrand
Honored Contributor
Solution

Re: restricting su

There is a more secure way to do this than a script -- if you can install sudo.

First, disable all access to /usr/bin/su

# chmod go-rwx /usr/bin/su

Then add the following to /etc/sudoers

ALL ALL = NOPASSWD : /usr/bin/su

Then to su, your users run:

sudo su

If does not match the list provided in the sudoers file, then sudo will not allow su to run.

This also has the side benifit of loggin all su activity, including unauthorized attempts.

See the sudoers man page for the specific syntax.

HTH.
Sergejs Svitnevs
Honored Contributor

Re: restricting su

Instead of executing "su", use "sudo".
"sudo" lets you have more control over what users can do as other users.
Or
DON'T give out users passwords and change them immediately when a problem is discovered.

Regards,
Sergejs
David_246
Trusted Contributor

Re: restricting su

Hi Rainer,

Sorry for the misunderstanding. I do this using "eTrust Access Control" from CA. It works perfect for your question.
Also other sudo tools work great with it. From a standard OS without extra tooling this will not be possible.

Regs David
@yourservice