HPE Community
Operating System - HP-UX
1833891 Members
1966 Online
110063 Solutions
New Discussion

SU_ROOT_GROUP in /etc/default/security

 
SOLVED
Go to solution
TheJuiceman
Super Advisor

‎03-23-2005 04:40 PM

‎03-23-2005 04:40 PM

SU_ROOT_GROUP in /etc/default/security

I am wanting to set up this parameter, but am not sure where and how to set up the group. Is there a simple way to maintain this group without the hassle of editing it whenever someone leaves/comes/etc? With the way our system is set up (due to software concerns), we do not have a separate group setup for these users.

Thanks for your help.
0 Kudos
Reply
7 REPLIES 7
Joseph Loo
Honored Contributor

‎03-23-2005 04:52 PM

‎03-23-2005 04:52 PM

Solution

Re: SU_ROOT_GROUP in /etc/default/security

hi,

account management is part and parcel of system administraion life. Unless u have operators who take cares of this duties, i think your hands have to be dirty for such duties.

regards.
what you do not see does not mean you should not believe
Reply
Pete Randall
Outstanding Contributor

‎03-23-2005 10:10 PM

‎03-23-2005 10:10 PM

Re: SU_ROOT_GROUP in /etc/default/security

Bob,

In order to set this up, you're going to have to make the (hopefully) limited number of users who are allowed to su to root members of the same group (we use "support"). You will also have to maintain this as people join and leave this group.


Pete

Pete
Reply
Rick Garland
Honored Contributor

‎03-24-2005 02:45 AM

‎03-24-2005 02:45 AM

Re: SU_ROOT_GROUP in /etc/default/security

Setting up a group is not required. I see the use of the 'adm' group as a solution to this requirement. For those users who are suppose to have special powers, add them to the adm group. If there is a departure then remove them.

The only maintenance you would have to do for this group is the addition/deletion of accts as people come/go.

Optionally, do set up a group. I create called 'wheel' and place the SysAdmins in there.

Low maintenance and overhead. Probably the lowest you will have to deal with.
Reply
TheJuiceman
Super Advisor

‎03-24-2005 09:32 AM

‎03-24-2005 09:32 AM

Re: SU_ROOT_GROUP in /etc/default/security

Thanks everyone. Where do I need to set this group up at? Thanks again.
0 Kudos
Reply
TheJuiceman
Super Advisor

‎03-24-2005 09:49 AM

‎03-24-2005 09:49 AM

Re: SU_ROOT_GROUP in /etc/default/security

Also, would it be possible to set up a variable in the group to say, for example, allow all users that logins start with a "D"? Thanks.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎03-29-2005 07:13 AM

‎03-29-2005 07:13 AM

Re: SU_ROOT_GROUP in /etc/default/security

To setup the group, can use SAM to add a group or do so manually in the /etc/group file.

As to your last question, get the value for the $LOGNAME and test to see if the 1st character is a 'D'. If true, do whatever.
Reply
Bill Hassell
Honored Contributor

‎03-29-2005 02:25 PM

‎03-29-2005 02:25 PM

Re: SU_ROOT_GROUP in /etc/default/security

Adding a new group (I use suroot as the new group) is very easy...pick an unused number for the group ID, duplicate an existing line in /etc/group and then modify the new line by changing the group name, group ID number and then add the users that will need this group membership. Something like this:

suroot::201:billh,lucy,pooky,nermal

When the users login and type the id command, they will see something like this:

uid=103(billh) gid=20(users) groups=201(suroot)

If a user leaves or no longer needs su capability, you simply edit /etc/group. It is very important to note that there are a *lot* of steps needed when a new user is added or deleted. You should have a clearly defined process for both circumstances. Otherwise, all the effort to ensure good security/stability practices with the security file can be undone by problem users.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.