HPE Community
Operating System - HP-UX
1836995 Members
1931 Online
110111 Solutions
New Discussion

SU restrictions

 
Jason Williams_10
New Member

‎01-13-2005 03:31 AM

‎01-13-2005 03:31 AM

SU restrictions

Is there any way to prevent certain users from su'ing to certain login ids. I would like to allow on group to su to an application login id but not another group. It is impossible to keep the password from spreading.
0 Kudos
Reply
9 REPLIES 9
Rick Garland
Honored Contributor

‎01-13-2005 03:33 AM

‎01-13-2005 03:33 AM

Re: SU restrictions

SUDO is one of the better ways I have found. The loggin is good. If somebody tries then the ADMIN gets email that says so.

To prevent unauthorized root access, use the SU_ROOT_GROUP.
0 Kudos
Reply
Jason Williams_10
New Member

‎01-13-2005 03:36 AM

‎01-13-2005 03:36 AM

Re: SU restrictions

We are using sudo too. However, this will not help in this particular situation. I know this can be done for root. That was not my question. I am looking to find out if it can be done for other id's.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-13-2005 03:40 AM

‎01-13-2005 03:40 AM

Re: SU restrictions

This can be done for other id's.

In the sudoers file you specify that a user cannot su -

An example:
!/usr/bin/su *id*

Do not allow this user (or group of users) to su to this particular userid.

This can be expanded on as there are other methods of doing the su.

But it can be done. I am doing it now.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-13-2005 03:41 AM

‎01-13-2005 03:41 AM

Re: SU restrictions

Another option that I am using. I am only specifing which users can su to an account. All other users are not included in the group. When they try the message "Not in SUDOERS" appears and ADMIN gets email
0 Kudos
Reply
Fred Ruffet
Honored Contributor

‎01-13-2005 03:42 AM

‎01-13-2005 03:42 AM

Re: SU restrictions

In case your users log in the machine with their account then use su, using "who -m" still give their original connection id. So you can set up a line in .profile of prohibited user to exit if this id is not wanted...

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
Jason Williams_10
New Member

‎01-13-2005 03:49 AM

‎01-13-2005 03:49 AM

Re: SU restrictions

Sounds promising.

So lets say I have a user "jay" and a super user "app". Lets say that "jay" is a member of the group "test" but not a member of the group "prod". If I wanted only member's of "prod" to be able to su to "app" after they are already logged into the system. What would I put in "app"'s .profile to accomplish this and keep "jay" out.
0 Kudos
Reply
Fred Ruffet
Honored Contributor

‎01-13-2005 04:17 AM

‎01-13-2005 04:17 AM

Re: SU restrictions

In the following code (may be better, but done fast) "validGroups" are the groups id you may log in from.

---

originalUser=`who -m | awk '{print $1}'`
originalGroup=`(grep ${originalUser} /etc/group | cut -d: -f3 ; grep ${originalUser} /etc/passwd | cut -d: -f4) | xargs echo`
validGroups="20 0"
valid=0
for userGroup in ${originalGroup}
do
for validGroup in ${validGroups}
do
if [ ${validGroup} -eq ${userGroup} ]
then
valid=1
fi
done
done
if [ ${valid} -eq 0 ]
then
echo "UNAUTHORIZED LOGIN"
exit 1
fi

---

Regards,

Fred

--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
Jason Williams_10
New Member

‎01-13-2005 05:37 AM

‎01-13-2005 05:37 AM

Re: SU restrictions

Thanks I'll give it a shot!
0 Kudos
Reply
Rick Garland
Honored Contributor

‎01-13-2005 06:29 AM

‎01-13-2005 06:29 AM

Re: SU restrictions

The simplest method I have in my sudoers file is that I have a user that is allowed to su -

Nobody knows the passwd to the , it can only be reached by the valid entry in the sudoers file.

All other users not in the sudoers file are denied access and the log is appended to state that so-and-so tried with email sent to the ADMIN.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.