HPE Community
Operating System - HP-UX
1846588 Members
2142 Online
110256 Solutions
New Discussion

su command

 
CIS BDLM Ms KAREH
Occasional Advisor

‎03-20-2003 07:23 AM

‎03-20-2003 07:23 AM

su command

I have an id that multiple users know the password.

Is it possible to allow that user to login only via another user by using the su command.

Example:
userx is denied to log in.
For userx to log in, usery will have to log in then usery will have to su - userx.
HP-UX 10.2
0 Kudos
Reply
6 REPLIES 6
Ken Hubnik_2
Honored Contributor

‎03-20-2003 07:29 AM

‎03-20-2003 07:29 AM

Re: su command

Yes, that is probably the best way to do it so you have an su log .
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-20-2003 07:36 AM

‎03-20-2003 07:36 AM

Re: su command

This is really a policy issue.

When we find a user id is being abused the first think we do is lock it.

passwd -l userid

Then we notify the user and his or her supervisor to stop password sharing or whatever the violation is.

We then reset the user password(if a new id is needed we create it). Then we reset the user id force a change on the next login and get the user to sign acknowledgement of our security and password sharing policy.

Trying to enforce this stuff with the system is tough, people need to know they are risking their job with security violations.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

‎03-20-2003 07:39 AM

‎03-20-2003 07:39 AM

Re: su command

Hi,

Something like this,

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x59d7cdec06f1d61190050090279cd0f9,00.html

Hope it helps,

Robert-Jan.
0 Kudos
Reply
Chris Vail
Honored Contributor

‎03-20-2003 12:19 PM

‎03-20-2003 12:19 PM

Re: su command

This in fact is an excellent idea. We've locked out both the root and oracle users this way. In order to log into a host, everyone must first log in using their private accounts, then su to root, oracle, or a couple of other key accounts that we've identified. The exception to this is when they've logged onto one host, and used secure shell to log on to another host. Then, of course, secure shell logs its activities as well.


Chris
0 Kudos
Reply
CIS BDLM Ms KAREH
Occasional Advisor

‎03-23-2003 11:37 PM

‎03-23-2003 11:37 PM

Re: su command

I would appreciate any solutions or suggestions.

Thank you.
HP-UX 10.2
0 Kudos
Reply
john korterman
Honored Contributor

‎03-24-2003 12:13 AM

‎03-24-2003 12:13 AM

Re: su command

Hi,
in ksh you can make use of the LOGNAME variable: the name with which the user originalley logs in is assigned to that variable. You can then test on the original logname in the .profile for the user to which you will only allow to su.
Example of the .profile for the user flipflop:

#!/usr/bin/sh
if [ "$LOGNAME" = "flipflop" ]
then
exit
fi

which will prevent flipflop from loggin in directly, but allow su - flipflop.

regards,
John K.

it would be nice if you always got a second chance
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.