restricting su

restricting su

Post by darrin hodge » Thu, 14 May 1998 04:00:00



hello
    is there a way of restricting user`s from su`ing to root?, i know
from linux experience you can set  the
SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users
to the wheel group .

there is no such option in /etc/default/su

i have gotten around it by putting a wrapper on su and creating an
access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
similar setup to linux one i just mentioned, i can`t seem to find any
info.

tia
darrin hodges

 
 
 

restricting su

Post by Scott Alla » Thu, 14 May 1998 04:00:00


Hi -
        looked at this myself a while ago - I didnt find a way and
Sun have this logged on Sunsolve (SRDB id 6065..)

Basically there is no way of restricting who su's to root under Solaris,
you would have to come up with something yourself I guess.

Scott
Unix System Admin
GEC-Marconi


>     is there a way of restricting user`s from su`ing to root?, i know
> from linux experience you can set  the
> SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users to the wheel group .
> there is no such option in /etc/default/su
> i have gotten around it by putting a wrapper on su and creating an
> access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
> similar setup to linux one i just mentioned, i can`t seem to find any
> info.


 
 
 

restricting su

Post by Fletcher Gle » Thu, 14 May 1998 04:00:00


The simplest method that works every time is to not give out the password and
to change the password (which is not in any dictionary) frequently.  I'm
fond of using acronyms such as "esadmf" which are easy to remember.
(If you're puzzled, the 'd' stands for "die").

--
                Fletcher Glenn


>Hi -
>    looked at this myself a while ago - I didnt find a way and
>Sun have this logged on Sunsolve (SRDB id 6065..)

>Basically there is no way of restricting who su's to root under Solaris,
>you would have to come up with something yourself I guess.

>Scott
>Unix System Admin
>GEC-Marconi


>>     is there a way of restricting user`s from su`ing to root?, i know
>> from linux experience you can set  the
>> SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users to the wheel group .
>> there is no such option in /etc/default/su
>> i have gotten around it by putting a wrapper on su and creating an
>> access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
>> similar setup to linux one i just mentioned, i can`t seem to find any
>> info.

 
 
 

restricting su

Post by Mark Hi » Thu, 14 May 1998 04:00:00


On Wed, 13 May 1998 11:35:25 +0100, in comp.unix.solaris Scott


>Basically there is no way of restricting who su's to root under Solaris,
>you would have to come up with something yourself I guess.

        Actually there is.
First put the users you want to give su permission to in the
sysadmin (14) group.
Change the group of /bin/su to 14 (sysadmin)
Change the mode of /bin/su to -r-sr-xr-- (chmod o-x /bin/su)

 Mark J. Hirt

 Sun Solaris 2.X systems administrator

 http://homepage.interaccess.com/~nxracer
 http://www.aero-rexnord.com

 
 
 

restricting su

Post by Kurt J. Lanz » Thu, 14 May 1998 04:00:00



> Hi -
>         looked at this myself a while ago - I didnt find a way and
> Sun have this logged on Sunsolve (SRDB id 6065..)

> Basically there is no way of restricting who su's to root under Solaris,
> you would have to come up with something yourself I guess.

> Scott
> Unix System Admin
> GEC-Marconi


> >     is there a way of restricting user`s from su`ing to root?, i know
> > from linux experience you can set  the
> > SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users to the wheel group .
> > there is no such option in /etc/default/su
> > i have gotten around it by putting a wrapper on su and creating an
> > access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
> > similar setup to linux one i just mentioned, i can`t seem to find any
> > info.

Ummm.... Surely if you don't post the flaming root password on the
company bulletin board, someone who doesn'y know it won'y be able to
su to root? Or is there some reason why you think the root password
should be public knowledge?
 
 
 

restricting su

Post by Dr. Dolphi » Thu, 14 May 1998 04:00:00


I'm thinking........Don't tell them the root password?

Just a thought.

DD


> hello
>     is there a way of restricting user`s from su`ing to root?, i know
> from linux experience you can set  the
> SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users
> to the wheel group .

> there is no such option in /etc/default/su

> i have gotten around it by putting a wrapper on su and creating an
> access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
> similar setup to linux one i just mentioned, i can`t seem to find any
> info.

> tia
> darrin hodges

 
 
 

restricting su

Post by Tom Metzg » Sat, 16 May 1998 04:00:00


This was posted the other day and I haven't seen any follow-ups by people
either agreeing with or disputing this method.  So my question is;  This
method seems (on paper) that it would work.  Are there any considerations
or situations in which this might cause trouble down the road (or at the
very least "headaches") ?  We are running SPARC Solaris 2.3, 2.5, 2.5.1
and 2.6 on 5 separate machines (I know...we're upgrading them all
when 2.6.1 comes out) so assume the question is for all those versions.

Thanks in advance.

----------- Begin Forwarded Message -----------

>Subject: Re: restricting su

>Newsgroups: comp.unix.solaris
>NNTP-Posting-Host: d135.avn2.interaccess.com
>Date: Wed, 13 May 1998 12:26:30 -0500

>Organization: InterAccess Co., Chicago's Full Service Internet Provider

>Content-Encoding: 7bit
>On Wed, 13 May 1998 11:35:25 +0100, in comp.unix.solaris Scott

>>Basically there is no way of restricting who su's to root under Solaris,
>>you would have to come up with something yourself I guess.
>    Actually there is.
>First put the users you want to give su permission to in the
>sysadmin (14) group.
>Change the group of /bin/su to 14 (sysadmin)
>Change the mode of /bin/su to -r-sr-xr-- (chmod o-x /bin/su)

--
Tom Metzger -> INCOLSA Unix System Administrator -> http://www.palni.edu/~tom
Help Stop Internet Spam! --->                           http://spam.abuse.net
Don't Spread That Hoax! -->           http://www.nonprofit.net/hoax/hoax.html
 
 
 

restricting su

Post by Arindum Mukerj » Sat, 16 May 1998 04:00:00


Well, of course it would stop people not in the sysadmin group from su'ing
to a different UID at all. This sometimes can be inconvenient if you have
a bunch of users maintaining, say, an informix database running under the
username 'informix' for example, and they need to su to the informix user
from time to time to do their maintenance (usually it would be better to
let such users not telnet or rlogin in, and rather su once they log in.)

But that is pretty obvious...

Arindum


> This was posted the other day and I haven't seen any follow-ups by people
> either agreeing with or disputing this method.  So my question is;  This
> method seems (on paper) that it would work.  Are there any considerations
> or situations in which this might cause trouble down the road (or at the

> >On Wed, 13 May 1998 11:35:25 +0100, in comp.unix.solaris Scott

> >First put the users you want to give su permission to in the
> >sysadmin (14) group.
> >Change the group of /bin/su to 14 (sysadmin)
> >Change the mode of /bin/su to -r-sr-xr-- (chmod o-x /bin/su)

 
 
 

restricting su

Post by Johnny Y » Sat, 16 May 1998 04:00:00


: hello
:     is there a way of restricting user`s from su`ing to root?, i know
: from linux experience you can set  the
: SU_WHEEL_ONLY option to YES in the /etc/login.defs file and adding users
: to the wheel group .

: there is no such option in /etc/default/su

: i have gotten around it by putting a wrapper on su and creating an
: access file in/etc/default/sugrp, im sure solaris (2.5.1) must have a
: similar setup to linux one i just mentioned, i can`t seem to find any
: info.

: tia
: darrin hodges

You can get a version of /usr/security/lib/pam_authen.so from ftp://coast.cs
.purdue.eda.  Then only those belong to the group "wheel" can su root.  Mark's
suggestion of chgrp /bin/su is good, but it would forbid all users from
su to another user, su <user2>.

--
Regards,
Johnny Yan.

 
 
 

1. restrict su using sugroups option

Back in March this year - there was a problem reported in this group, where
the sugroups option seemingly wasn't working.

Basically, a restriction can be imposed, where a user has to be part of
certain groups before he is allowed to su to the user with the sugroups
value imposed.

Normally, su requests the password, and then denies entry.

In this case, and in my experience recently, following the successfully
password entry, the su completes.

I experienced the problem on a machine running bos.rte.security 4.3.3.81 -
whilst it worked OK on 4.3.3.50 and 4.3.3.88.

Upgrading bos.rte.security, and pre-requisites, resulted in the sugroups
working as expected. However, there appears no mention of this problem
within IBM.

I suspect that a PTF broke it, and a subsequent PTF fixed the error - and
either they didn't notice it, or hoped that no-one would notice...

Malcolm
--
Malcolm - Great Britain Old Timers #32 - 19/Apr/2002 GB 5 HC Paris 4
Goaltending is 90% mental, the other 10% is in your head (ICQ#8195978)
Hockey Results & Tables: http://homepages.tcp.co.uk/~sonic/hockey.html

2. StarOffice Question

3. Restricting su

4. My Humble Opinion of this group...

5. Restrict su to root.

6. serial printer problems

7. Restricting su usage

8. unpacking gz files

9. restricting su

10. Restricted su facility

11. does anyone know how to restrict su access

12. HP-UX: restricting su access

13. Restricting su to user