Very Computer

by **darrin hodge** » Thu, 14 May 1998 04:00:00

hello
is there a way of restricting user`s from su`ing to root?, i know
from linux experience you can set the
SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users
to the wheel group .

there is no such option in /etc/default/su

i have gotten around it by putting a wrapper on su and creating an
access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
similar setup to linux one i just mentioned, i can`t seem to find any
info.

tia
darrin hodges

by **Scott Alla** » Thu, 14 May 1998 04:00:00

Hi -
looked at this myself a while ago - I didnt find a way and
Sun have this logged on Sunsolve (SRDB id 6065..)

Basically there is no way of restricting who su's to root under Solaris,
you would have to come up with something yourself I guess.

Scott
Unix System Admin
GEC-Marconi

> is there a way of restricting user`s from su`ing to root?, i know
> from linux experience you can set the
> SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users to the wheel group .
> there is no such option in /etc/default/su
> i have gotten around it by putting a wrapper on su and creating an
> access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
> similar setup to linux one i just mentioned, i can`t seem to find any
> info.

by **Fletcher Gle** » Thu, 14 May 1998 04:00:00

The simplest method that works every time is to not give out the password and
to change the password (which is not in any dictionary) frequently. I'm
fond of using acronyms such as "esadmf" which are easy to remember.
(If you're puzzled, the 'd' stands for "die").

--
Fletcher Glenn

>Hi -
> looked at this myself a while ago - I didnt find a way and
>Sun have this logged on Sunsolve (SRDB id 6065..)

>Basically there is no way of restricting who su's to root under Solaris,
>you would have to come up with something yourself I guess.

>Scott
>Unix System Admin
>GEC-Marconi

>> is there a way of restricting user`s from su`ing to root?, i know
>> from linux experience you can set the
>> SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users to the wheel group .
>> there is no such option in /etc/default/su
>> i have gotten around it by putting a wrapper on su and creating an
>> access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
>> similar setup to linux one i just mentioned, i can`t seem to find any
>> info.

by **Mark Hi** » Thu, 14 May 1998 04:00:00

On Wed, 13 May 1998 11:35:25 +0100, in comp.unix.solaris Scott

>Basically there is no way of restricting who su's to root under Solaris,
>you would have to come up with something yourself I guess.

Actually there is.
First put the users you want to give su permission to in the
sysadmin (14) group.
Change the group of /bin/su to 14 (sysadmin)
Change the mode of /bin/su to -r-sr-xr-- (chmod o-x /bin/su)

Mark J. Hirt

Sun Solaris 2.X systems administrator

http://homepage.interaccess.com/~nxracer
http://www.aero-rexnord.com

by **Kurt J. Lanz** » Thu, 14 May 1998 04:00:00

> Hi -
> looked at this myself a while ago - I didnt find a way and
> Sun have this logged on Sunsolve (SRDB id 6065..)

> Basically there is no way of restricting who su's to root under Solaris,
> you would have to come up with something yourself I guess.

> Scott
> Unix System Admin
> GEC-Marconi

> > is there a way of restricting user`s from su`ing to root?, i know
> > from linux experience you can set the
> > SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users to the wheel group .
> > there is no such option in /etc/default/su
> > i have gotten around it by putting a wrapper on su and creating an
> > access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
> > similar setup to linux one i just mentioned, i can`t seem to find any
> > info.

Ummm.... Surely if you don't post the flaming root password on the
company bulletin board, someone who doesn'y know it won'y be able to
su to root? Or is there some reason why you think the root password
should be public knowledge?

by **Dr. Dolphi** » Thu, 14 May 1998 04:00:00

I'm thinking........Don't tell them the root password?

Just a thought.

DD

> hello
> is there a way of restricting user`s from su`ing to root?, i know
> from linux experience you can set the
> SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users
> to the wheel group .

> there is no such option in /etc/default/su

> i have gotten around it by putting a wrapper on su and creating an
> access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
> similar setup to linux one i just mentioned, i can`t seem to find any
> info.

> tia
> darrin hodges

by **Tom Metzg** » Sat, 16 May 1998 04:00:00

This was posted the other day and I haven't seen any follow-ups by people
either agreeing with or disputing this method. So my question is; This
method seems (on paper) that it would work. Are there any considerations
or situations in which this might cause trouble down the road (or at the
very least "headaches") ? We are running SPARC Solaris 2.3, 2.5, 2.5.1
and 2.6 on 5 separate machines (I know...we're upgrading them all
when 2.6.1 comes out) so assume the question is for all those versions.

Thanks in advance.

----------- Begin Forwarded Message -----------

>Subject: Re: restricting su

>Newsgroups: comp.unix.solaris
>NNTP-Posting-Host: d135.avn2.interaccess.com
>Date: Wed, 13 May 1998 12:26:30 -0500

>Organization: InterAccess Co., Chicago's Full Service Internet Provider

>Content-Encoding: 7bit
>On Wed, 13 May 1998 11:35:25 +0100, in comp.unix.solaris Scott

>>Basically there is no way of restricting who su's to root under Solaris,
>>you would have to come up with something yourself I guess.
> Actually there is.
>First put the users you want to give su permission to in the
>sysadmin (14) group.
>Change the group of /bin/su to 14 (sysadmin)
>Change the mode of /bin/su to -r-sr-xr-- (chmod o-x /bin/su)

--
Tom Metzger -> INCOLSA Unix System Administrator -> http://www.palni.edu/~tom
Help Stop Internet Spam! ---> http://spam.abuse.net
Don't Spread That Hoax! --> http://www.nonprofit.net/hoax/hoax.html

by **Arindum Mukerj** » Sat, 16 May 1998 04:00:00

Well, of course it would stop people not in the sysadmin group from su'ing
to a different UID at all. This sometimes can be inconvenient if you have
a bunch of users maintaining, say, an informix database running under the
username 'informix' for example, and they need to su to the informix user
from time to time to do their maintenance (usually it would be better to
let such users not telnet or rlogin in, and rather su once they log in.)

But that is pretty obvious...

Arindum

> This was posted the other day and I haven't seen any follow-ups by people
> either agreeing with or disputing this method. So my question is; This
> method seems (on paper) that it would work. Are there any considerations
> or situations in which this might cause trouble down the road (or at the

> >On Wed, 13 May 1998 11:35:25 +0100, in comp.unix.solaris Scott

> >First put the users you want to give su permission to in the
> >sysadmin (14) group.
> >Change the group of /bin/su to 14 (sysadmin)
> >Change the mode of /bin/su to -r-sr-xr-- (chmod o-x /bin/su)

by **Johnny Y** » Sat, 16 May 1998 04:00:00

: hello
: is there a way of restricting user`s from su`ing to root?, i know
: from linux experience you can set the
: SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users
: to the wheel group .

: there is no such option in /etc/default/su

: i have gotten around it by putting a wrapper on su and creating an
: access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
: similar setup to linux one i just mentioned, i can`t seem to find any
: info.

: tia
: darrin hodges

You can get a version of /usr/security/lib/pam_authen.so from ftp://coast.cs
.purdue.eda. Then only those belong to the group "wheel" can su root. Mark's
suggestion of chgrp /bin/su is good, but it would forbid all users from
su to another user, su <user2>.

--
Regards,
Johnny Yan.