HPE Community
Operating System - HP-UX
1833723 Members
2597 Online
110063 Solutions
New Discussion

Restricting use of su

 
Luis Toro
Regular Advisor

‎05-20-2003 10:05 AM

‎05-20-2003 10:05 AM

Restricting use of su

I have read through many threads with very good ways to restrict who can "su", and to restrict direct logging with shared accounts. Here's my wrinkle: I not only need to restrict shared accounts (from logging in) but also restrict who can su to certain ids. In the event the shared id password is compromised (since it doesn't age), only certain users will be able to su to that specific id. Also to avoid a DBA from walking over to a users desktop and su'ing from his/her login to "oracle".
Thank you
0 Kudos
Reply
7 REPLIES 7
Jairo Campana
Trusted Contributor

‎05-20-2003 10:40 AM

‎05-20-2003 10:40 AM

Re: Restricting use of su

Finally, there is a shareware called 'sudo'. This package determines
which users have the privilege to operate as su. .

You can find 'sudo' at the following web site:

http://hpux.cs.utah.edu/

Once you access the site:

1. Type 'sudo' in the 'Package Search:' field.

2. Click the 'Search' button.

3. Click the 'sudo-1.5.6p5' link for more information.



legionx
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎05-20-2003 10:44 AM

‎05-20-2003 10:44 AM

Re: Restricting use of su

Sudo is the best way I know of doing what you want.

If you're not adverse to compiling source code, I would go to the Sudo home page and grab the latest version of sudo. Should be 1.6.7p5

http://www.courtesan.com/sudo/
Remember, wherever you go, there you are...
0 Kudos
Reply
Ross Zubritski
Trusted Contributor

‎05-20-2003 10:46 AM

‎05-20-2003 10:46 AM

Re: Restricting use of su

Sudo Rocks. If your company is in the mood to spend money, you called also investigate the former SEOS product, now know as E-Trust(CA)

Regards.

RZ
0 Kudos
Reply
Rajeev Shukla
Honored Contributor

‎05-20-2003 06:39 PM

‎05-20-2003 06:39 PM

Re: Restricting use of su

Or the other way is to modify "su"
Move /usr/bin/su to say /usr/bin/mysu
create a C program where you can check for the users to be allowed to use the program and then call the /usr/bin/mysu in that C program.
Name this program as "su"
there you go..you have your own su

Let me know if you need help in writing the program.

Rajeev
0 Kudos
Reply
Michael Tully
Honored Contributor

‎05-20-2003 06:44 PM

‎05-20-2003 06:44 PM

Re: Restricting use of su

sudo is defintely the way to go.

Here is the link, it is in depot format ready to install using 'swinstall'

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

I've used seos before and it can be extremely restrictive.


Regards
Michael
"When I have trouble spelling, it's called fat finger syndrome"
Anyone for a Mutiny ?
0 Kudos
Reply
Luis Toro
Regular Advisor

‎05-21-2003 06:23 AM

‎05-21-2003 06:23 AM

Re: Restricting use of su

Thanks.
However, since Ross opened up the "E-Trust" can of worms...
My company is willing to "throw" money at a "robust" security tool. We bought/deployed/pulled E-Trust. We have evaluated the product by Symark (PowerBroker
and PowerPassword), and are in the midst of bringing in IBM's solution, Tivoli Access Manager for Operating Systems (AMOS). I was going to post a question on this product, since I'm treading cautioulsy on enterprise solutions ever since our E-Trust fiasco. Any opinions ?
0 Kudos
Reply
Ross Zubritski
Trusted Contributor

‎05-21-2003 06:26 AM

‎05-21-2003 06:26 AM

Re: Restricting use of su

Luis,

Just for clarification, I was not soliciting E-Trust, we had a similar fiasco here with it. LOL.....

Stick with sudo, everyone will be happy.

RZ
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.