Prevent SU to root ????

Prevent SU to root ????

Post by John A. Gesuald » Wed, 29 Oct 1997 04:00:00



    How does one go about limiting the ability of users to su to root.
This was a feature in SunOS using the wheel group in /etc/group.

Thanks

 
 
 

Prevent SU to root ????

Post by BRANDON WILLIAM HU » Wed, 29 Oct 1997 04:00:00



:     How does one go about limiting the ability of users to su to root.
: This was a feature in SunOS using the wheel group in /etc/group.

Well...
   chgrp staff /usr/bin/su
   chmod 4750 /usr/bin/su

Then, only members of group staff can use su... of course, they can't su
to other users either, but thems the breaks...

--
|   Brandon Hume aka "Hurricane" - hume at ug.cs.dal.ca & isisnet.com   |
|          "What was your username again?  *Clickity-click*"            |

 
 
 

Prevent SU to root ????

Post by John Keet » Wed, 29 Oct 1997 04:00:00


John A. Gesualdi wrote in comp.unix.solaris:

Quote:>    How does one go about limiting the ability of users to su to root.
>This was a feature in SunOS using the wheel group in /etc/group.

Not to be a smartass, but not giving out the root passwd would be a great
start.  Thats is the only way a user can gain root access through /bin/su..
Maybe I (we?) mis understood your question..

                jkeeton

--

========================================================================
All commercial email will be forwarded to postmaster at your site.
 Standard Position:  Hiding in a corner, under a desk, in fetal position, arms
   covering head and quietly whimpering.

 
 
 

Prevent SU to root ????

Post by Peter Edlun » Thu, 30 Oct 1997 04:00:00


Well if you want to give some of your users limited root-access the
easiest way is using any of the packages for this that exist. The one I
think's the best is 'sudo'. Fully configurable and you never ever have
to give away your precious root password.

//Peter.
------------------------------
Peter Edlund
UNIX development engineer
Cap Gemini Sweden


> John A. Gesualdi wrote in comp.unix.solaris:
> >    How does one go about limiting the ability of users to su to root.
> >This was a feature in SunOS using the wheel group in /etc/group.

> Not to be a smartass, but not giving out the root passwd would be a great
> start.  Thats is the only way a user can gain root access through /bin/su..
> Maybe I (we?) mis understood your question..

>                 jkeeton

> --

> ========================================================================
> All commercial email will be forwarded to postmaster at your site.
>  Standard Position:  Hiding in a corner, under a desk, in fetal position, arms
>    covering head and quietly whimpering.

--
 
 
 

Prevent SU to root ????

Post by Dr. Dolphi » Thu, 30 Oct 1997 04:00:00



>     How does one go about limiting the ability of users to su to root.
> This was a feature in SunOS using the wheel group in /etc/group.

> Thanks

Change the root password.

DD

 
 
 

Prevent SU to root ????

Post by Casper H.S. Dik - Network Security Engine » Fri, 31 Oct 1997 04:00:00


[[ Reply by email or post, don't do both ]]




>> >     How does one go about limiting the ability of users to su to root.
>> > This was a feature in SunOS using the wheel group in /etc/group.

>> > Thanks

>> Change the root password.
>Or implement your own version of the wheel group. I like to use GID
>14 (sysadmin) on Solaris. 'chgrp' /bin/su to sysadmin, then 'chmod' it
>to 4550.

Or ftp.wins.uva.nl:/pub/solaris/

There's su_group0.c for Solaris 2.6 and some PAM modules for 2.4-2.5.1
(SPARC binaries only)

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

Prevent SU to root ????

Post by Alan Coopersmi » Fri, 31 Oct 1997 04:00:00



Quote:>Or implement your own version of the wheel group. I like to use GID
>14 (sysadmin) on Solaris. 'chgrp' /bin/su to sysadmin, then 'chmod' it
>to 4550.

Be very careful doing this - anyone in group 14 basically has full root
priveledges by virtue of just being in this group.  (Admintool will let
them change any user's password, including root's.)

--
________________________________________________________________________

Univ. of California at Berkeley         http://soar.Berkeley.EDU/~alanc/

 
 
 

Prevent SU to root ????

Post by Vik Varm » Fri, 31 Oct 1997 04:00:00




> >     How does one go about limiting the ability of users to su to root.
> > This was a feature in SunOS using the wheel group in /etc/group.

> > Thanks

> Change the root password.

Or implement your own version of the wheel group. I like to use GID
14 (sysadmin) on Solaris. 'chgrp' /bin/su to sysadmin, then 'chmod' it
to 4550.

--
Vik Varma                               VeriSign, Inc
System Administrator                    (650) 429-3352

 
 
 

Prevent SU to root ????

Post by G. La » Sat, 01 Nov 1997 04:00:00



:     How does one go about limiting the ability of users to su to root.
: This was a feature in SunOS using the wheel group in /etc/group.

Go to:
        ftp://ftp.fwi.uva.nl/pub/solaris/
Then check out the README which file you should install (unix, pam or su).

--
#  Grzegorz Labe       http://ultra.cto.us.edu.pl/YELLKY/  ### ### ###
#  Centrum Techniki Obliczeniowej  Uniwersytetu Slaskiego  #    #  # #
#  ul. Uniwersytecka 4       40-877 Katowice       Poland  #    #  # #

 
 
 

1. prevent su from root on NIS clients

We store our user accounts on our NIS server and automount their
directories to our client systems. On the clients we use the standard
nsswitch.nis for passwords, etc.. with the entry passwd: files nis. On
our client systems, the local root is able to su to any of the NIS
accounts without a password. Is their a way to force the local root
account on a client to need to use a password before they su to another
account stored in the NIS maps? Everything is Solaris 7.

2. Terminal defaults?

3. GNU su (was Re: Preventing SU Root)

4. cancel <cbng4s$ef5$1@colwyn.zhadum.de>

5. differences between su root and su - root

6. How to convert flat file database to dbm databases

7. Prevent root to do su to other user

8. Help, how do I get rid of LILO

9. su root: You do not have permission to su root ?

10. Preventing "su" to root

11. Solution: differences between su root and su - root

12. How to prevent "false" root from su

13. Preventing SU Root