Restricting 'su'

Restricting 'su'

Post by Tim Porte » Wed, 19 Mar 1997 04:00:00



Can anybody answer two questions I have about the su command in Solaris?

1). I have upgraded from SunOS 4.x to Solaris 2.5.1. Under SunOS 4.x, I
used to be able to restrict su so that only users in a certain group
(wheel)  could su to root. Is there any way of restricting su like this
under Solaris?  Users still need to be able to be able to su to users
other than root.  Obviously, I have a password on root, but I would like
this extra level of security.

2). The setup at the moment only allows me to login directly as root on
the system console. But is there a way of changing this so that even on
the console you have to use su to become root?

Thanks in advance,

 Tim

 
 
 

Restricting 'su'

Post by Brian S. Craigie - NEC Scotla » Thu, 20 Mar 1997 04:00:00


[Posted and mailed]



Quote:

> Can anybody answer two questions I have about the su command in Solaris?

> 1). I have upgraded from SunOS 4.x to Solaris 2.5.1. Under SunOS 4.x, I
> used to be able to restrict su so that only users in a certain group
> (wheel)  could su to root. Is there any way of restricting su like this
> under Solaris?  Users still need to be able to be able to su to users
> other than root.  Obviously, I have a password on root, but I would like
> this extra level of security.

> 2). The setup at the moment only allows me to login directly as root on
> the system console. But is there a way of changing this so that even on
> the console you have to use su to become root?

su has been in the past been the subject of several security issues and I would
submit it is less secure than simply not telling anyone the root password.

I'd suggest removing the execute permissions on su completely, and then install
sudo for use by those who need extra privileges.

That's much safer than using su.  Just my 2p worth...

(Please remove .SPAMOFF to reply by email)

--

Best Regards,

Brian S. Craigie
Unix Sysadmin
NEC Semiconductors (UK) Ltd

< Of course I'm not speaking for my employer.  I'm not even speaking for me! >
<< SPAM download fee: $100 per line >>

 
 
 

Restricting 'su'

Post by Casper H.S. Dik - Network Security Engine » Thu, 20 Mar 1997 04:00:00



>1). I have upgraded from SunOS 4.x to Solaris 2.5.1. Under SunOS 4.x, I
>used to be able to restrict su so that only users in a certain group
>(wheel)  could su to root. Is there any way of restricting su like this
>under Solaris?  Users still need to be able to be able to su to users
>other than root.  Obviously, I have a password on root, but I would like
>this extra level of security.

Check ftp.wins.uva.nl:/pub/solaris for some modules that add such support.

Quote:>2). The setup at the moment only allows me to login directly as root on
>the system console. But is there a way of changing this so that even on
>the console you have to use su to become root?

(The Question isn't what you asked, but the answer is there:)

The solaris FAQ says:

3.7) Why can't I rlogin/telnet in as root?

    >... when I try to rlogin as root ...
    >it gives me the message "Not on system console
    >Connection closed.".  What have I left out?

    Solaris 2 comes out of the box a heck of a lot more secure than
    Solaris 1.  There is no '+' in the hosts.equiv.  root logins are not
    allowed anywhere except the console.  All accounts require passwords.
    In order to allow root logins over the net, you need to edit the
    /etc/default/login file and comment out or otherwise change the
    CONSOLE= line.

    This file's CONSOLE entry can actually be used in a variety of ways:

    1) CONSOLE=/dev/console (default) - direct root logins only on console
    2) CONSOLE=/dev/ttya - direct root logins only on /dev/ttya
    3) CONSOLE= - direct root logins disallowed everywhere
    4) #CONSOLE (or delete the line) - root logins allowed everywhere

    /etc/hosts.equiv is still supported, but there is no default.

    --- end of excerpt from the FAQ

Questions marked with a * or + have been changed or added since
the FAQ was last posted

The most recently posted version of the FAQ is available from
<http://www.wins.uva.nl/pub/solaris/solaris2/>
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

1. restricting 'su'

Isn't there a way to restrict who can use the "su" command?  Call me
silly but I would have sworn that a few years ago all that needed doing
was to put the people who could use "su" in the /etc/group file as
"sysadmin" and that way no one else could "su".  I'm now seeing that
isn't correct.  Was I delusional?  Isn't there a way to keep Joe Blow
from doing "su" ?

I'm speaking of SPARC Solaris 2.3 and 2.5 but we also have 2.5.1 and
2.6 machines around here.

Thanks in advance for any clarification.

2. .NET based on a patchy server: Eight NEW holes exposed

3. restrict use of 'su' or 'su -'

4. routed adds wrong default route

5. 'su ' vs. 'su -'

6. traceroute in Solaris 2.X?

7. Restricting 'su root' on Solaris?

8. ATAPI Not ready? failed "Read CD/Dvd Capacity"?

9. What is the difference between 'login: root' and 'su -' ?

10. MD5 disabled the 'su' and 'logon' command

11. 'su' and 'rlogin' wierdness under 2.6 ...

12. 'su' and 'LD_LIBRARY_PATH'