Hi everybody, I need to deny a direct access of some users (root, oracle) via telnet, force them to login as different user and using su. Logins are not restricted to specific hosts.
When using su, user displayed by "who -m" is always the user who first issued telnet to the host. You can then in root's .profile get result of this command and compare to a valid user list (only readable and writable by root).
How can one keep users from running the su(1) command, yet still allow a couple of users to be able to do this? RESOLUTION This feature is available via the SU_ROOT_GROUP parameter on HP-UX 11.11 and HP-UX 11.00 with the following patch installed:
PHCO_15232 s700_800 11.00 su(1) cumulative patch The current version is PHCO_16127.
Yes you can restrict 'su' for certain users by specifying in
/etc/default/security
man security shows:
SU_ROOT_GROUP
This parameter defines the root group name for the su command. Refer to su(1).
SU_ROOT_GROUP=group_name The root group name is set to the specified symbolic group name. The su command enforces the restriction that a non-superuser must be a member of the specified root group to be allowed to su to root. This does not alter password checking.
Default value: If this parameter is not defined or if it is commented out, there is no default value. In this case, a non superuser is allowed to su to root without being bound by root group restrictions.
