HPE Community
Operating System - HP-UX
1849679 Members
7505 Online
104044 Solutions
New Discussion

Re: SU Restriction

 
John Carver
Frequent Advisor

‎07-16-2002 01:03 PM

‎07-16-2002 01:03 PM

SU Restriction

I have created the file /etc/securetty to force my admins to su
rather than logging directly into root. Is there a method in HPUX11.00
to limit who can use the su command or better yet, a method to limit su
to root?

John Carver
0 Kudos
Reply
7 REPLIES 7
Sanjay_6
Honored Contributor

‎07-16-2002 01:13 PM

‎07-16-2002 01:13 PM

Re: SU Restriction

Hi john,

"su" is a regular unix command. If you want that su should work only if root is passed as an argument, you can move the binary executable su to a location not in the regular user path and then put a wrapper around the su command in a script such that the script can check if root is passed as aan arguement, if so it works else it fails.

however is there a problem in allowing the regular users to su to another user id than root?. should be okay if the user can do an su to another user id since any userid other than root will be required to give the passwd for the userid someone is su'ing to.

Hope this helps.

regds
0 Kudos
Reply
Steven Mertens
Trusted Contributor

‎07-16-2002 01:15 PM

‎07-16-2002 01:15 PM

Re: SU Restriction

hi John,

Maybe you can use sudo for it :

see :

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xaf7e37f45ef7d4118fef0090279cd0f9,00.html

regards

Steven
0 Kudos
Reply
Arockia Jegan
Trusted Contributor

‎07-16-2002 01:15 PM

‎07-16-2002 01:15 PM

Re: SU Restriction

Add
SU_ROOT_GROUP=group name

in the file /etc/default/security. So only the users in that particular users will be able to su to root.
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎07-16-2002 01:18 PM

‎07-16-2002 01:18 PM

Re: SU Restriction

Hi John


Here is how we do it . edit /etc/profile and add the following lines :

loginid=`who am i | awk '{print $1}'`

echo $loginid
if [ $loginid = root ]
then
exit
fi


this will throw out anyone trying to log in as root , so to go to root you have to su to root after logging in as a normal user.


Manoj Srivastava
0 Kudos
Reply
Arockia Jegan
Trusted Contributor

‎07-16-2002 01:18 PM

‎07-16-2002 01:18 PM

Re: SU Restriction

There is an another way to setup this security. Install sudo software and modify the //etc/sudoers file to allow only the particular users to su to root.

You can get sudo from here,

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.6/
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎07-16-2002 04:07 PM

‎07-16-2002 04:07 PM

Re: SU Restriction

Just a note about the /etc/default/security file: although it is standard on 11i, you'll need the latest libpam patch PHCO_25527. Unfortunately, the man page for security is missing so you'll need to look at docs.hp.com for the details:

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-90696/B2355-90696_top.html&con=/hpux/onlinedocs/B2355-90696/00/01/111-con.html&toc=/hpux/onlinedocs/B2355-90696/00/01/111-toc.html&searchterms=security%7c4&queryid=20020716-171645

and

http://docs.hp.com/hpux/onlinedocs/5185-4391/5185-4391.html


Bill Hassell, sysadmin
0 Kudos
Reply
Michael Tully
Honored Contributor

‎07-16-2002 04:14 PM

‎07-16-2002 04:14 PM

Re: SU Restriction

sudo is the recommendation. To restrict admins even further, you could go one step further and lock up the root passwd as well. Have the IT manager keep it (them) in a locked safe with limited access. You don't need the root passwd if sudo is installed and *used* correctly. Each instance of it's usage can be logged and tracked, as to who does what and when. Also remove '.rhosts' and '/etc/hosts.equiv files.
Anyone for a Mutiny ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.