HPE Community
Operating System - HP-UX
1829262 Members
1884 Online
109988 Solutions
New Discussion

Security IDs

 
Fenglin
Regular Advisor

‎04-05-2010 10:12 PM

‎04-05-2010 10:12 PM

Security IDs

Hi

How to create/set an ID that cannot switch user to root?

Regards
Feng Lin
0 Kudos
Reply
4 REPLIES 4
Matti_Kurkela
Honored Contributor

‎04-05-2010 11:01 PM

‎04-05-2010 11:01 PM

Re: Security IDs

Do you assume that the owner(s) of that ID will get to know the root password? If so, you have a critical problem in your root password management: fix that first.

You can create a group that includes all the users that should be allowed to switch to root, then change the permissions of the "su" command to make it executable by that group only.

Restricting the "su" command will make it difficult to access other non-personal user accounts (i.e. application user accounts). So you may have to provide an alternative that allows more flexible security controls than the "su" command. A common alternative is "sudo": it is available in the free HP Internet Express package.

"sudo" allows the sysadmin to define the things a user is allowed to do using accounts other than his/her own, in a case-by-case basis.

When using sudo to switch from ID A to ID B, the user is not normally asked the password of ID B. Instead, if the action is allowed in the sudo configuration, the user may be simply allowed to do it, or required to enter the password of ID A to confirm their identity. If you want sudo to require the password of ID B, that is configurable too.

From a security perspective, it would be best if each user has a unique, personal ID which is used by nobody else. If the user hasn't been authorized to do something, the system should stop him/her from doing it at all. From the ease-of-use perspective, if the user has been authorized to do something, it should "just work" with the minimum required extra steps because of security restrictions. That's exactly the combination of behaviours you can achieve with sudo.

MK
MK
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

‎04-05-2010 11:03 PM

‎04-05-2010 11:03 PM

Re: Security IDs

http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1270537286861+28353475&threadId=87437
Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Fenglin
Regular Advisor

‎04-06-2010 12:29 AM

‎04-06-2010 12:29 AM

Re: Security IDs

Hi Matti

How do I restrict group A to be able to su to root and group B not to be able to su to root?

Regards
Feng Lin
0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎04-06-2010 05:02 AM

‎04-06-2010 05:02 AM

Re: Security IDs

Hey;

man security(4); the option you're looking for is called SU_ROOT_GROUP. It's effective since 11.11.

So, define a group you want to be able to su - root, then define it in the security file:

groupadd sysadm
echo "SU_ROOT_GROUP=sysadm" >> /etc/default/security

should do the trick.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.