restrict use of 'su' or 'su -'

restrict use of 'su' or 'su -'

Post by Bart » Thu, 12 Apr 2001 00:05:51



Hello again,

how can I restrict the use of 'su' or 'su -' ? I want to make it impossible
that someone, who has an account, can ssh in and do all kinds of 'root'-
stuff...

Thanks for any tips or help.
Bart
------
RH6.2 kernel 2.2.18

 
 
 

restrict use of 'su' or 'su -'

Post by Erlend J. Leikne » Thu, 12 Apr 2001 00:12:39


Take a look in /etc/login.defs
You can define which groups who can su to root user.


Quote:> Hello again,

> how can I restrict the use of 'su' or 'su -' ? I want to make it
impossible
> that someone, who has an account, can ssh in and do all kinds of 'root'-
> stuff...

> Thanks for any tips or help.
> Bart
> ------
> RH6.2 kernel 2.2.18


 
 
 

restrict use of 'su' or 'su -'

Post by Rick Matthe » Thu, 12 Apr 2001 00:13:47




Quote:>how can I restrict the use of 'su' or 'su -' ? I want to make it
>impossible that someone, who has an account, can ssh in and do all
>kinds of 'root'- stuff...

Don't give them the root password?

--
Always remember:
http://mysite.directlink.net/matthews/smiles/started.htm

 
 
 

restrict use of 'su' or 'su -'

Post by jose » Thu, 12 Apr 2001 00:38:42



> Give su the wheel group permissions, then add only proper users to the
> wheel group.  This is a common solution on many variants of linux and bsd.

this can be accomplished by the following:

chmod o-rwx /bin/su
chown root.wheel /bin/su

and ensuring that the people you want to use su are in the wheel group.


 
 
 

restrict use of 'su' or 'su -'

Post by Bart » Thu, 12 Apr 2001 01:35:05




Quote:> Don't give them the root password?

Off course... ;-)
Tnx !
 
 
 

restrict use of 'su' or 'su -'

Post by Bill Unr » Thu, 12 Apr 2001 01:40:16



Quote:>how can I restrict the use of 'su' or 'su -' ? I want to make it impossible
>that someone, who has an account, can ssh in and do all kinds of 'root'-
>stuff...

That is what the root password is for. You do have a password for root
don't you? If they do not know the password, they cannot use su.
 
 
 

restrict use of 'su' or 'su -'

Post by Davi » Thu, 12 Apr 2001 02:31:36



> Hello again,

> how can I restrict the use of 'su' or 'su -' ? I want to make it impossible
> that someone, who has an account, can ssh in and do all kinds of 'root'-
> stuff...

> Thanks for any tips or help.
> Bart
> ------
> RH6.2 kernel 2.2.18

You can do it with the following:

vi /etc/pam.d/su
and add the following to the top of the file just below "#%PAM-1.0"

   auth  sufficient  /lib/security/pam_rootok.so debug
   auth  required  /lib/security/pam_wheel.so group=wheel

Then issue the command below.

     usermod -G10 username

where username is user you wish to allow "su" access and the "10" being
the wheel group ID in /etc/group

--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
ID # 123538
Completed more W/U's than 99.154% of seti users. +/- 0.01%

 
 
 

restrict use of 'su' or 'su -'

Post by Mario Husan » Thu, 12 Apr 2001 03:50:02


Quote:> this can be accomplished by the following:

> chmod o-rwx /bin/su

ATTENTION:

On my system the suid-bit got lost by this chmod !

Better use
    > chown root.wheel /bin/su
and
    chmod 4550 /bin/su

 
 
 

restrict use of 'su' or 'su -'

Post by Craig Van Tassl » Thu, 12 Apr 2001 08:47:33




> >how can I restrict the use of 'su' or 'su -' ? I want to make it impossible
> >that someone, who has an account, can ssh in and do all kinds of 'root'-
> >stuff...

> That is what the root password is for. You do have a password for root
> don't you? If they do not know the password, they cannot use su.

You are doing the Security through obscurity.  That is no real security, only a false sense of
secutrity.. rembemer that there are password crackers out there that will give the cracker the
password... and thus root your system (very bad)

Craig

 
 
 

restrict use of 'su' or 'su -'

Post by Erlend J. Leikne » Thu, 12 Apr 2001 09:03:14


No, but if you telnet to the box. Login as normal user, and then need to do
some system-maintance.
You use the nice little command su without any second thought about evil
pirates who are sniffing the password as you type it.




> >how can I restrict the use of 'su' or 'su -' ? I want to make it
impossible
> >that someone, who has an account, can ssh in and do all kinds of 'root'-
> >stuff...

> That is what the root password is for. You do have a password for root
> don't you? If they do not know the password, they cannot use su.

 
 
 

restrict use of 'su' or 'su -'

Post by Davi » Thu, 12 Apr 2001 10:21:41



> No, but if you telnet to the box. Login as normal user, and then need to do
> some system-maintance.
> You use the nice little command su without any second thought about evil
> pirates who are sniffing the password as you type it.

All that does is make you have to enter the full path to the commands
but still gives you root permissions and doesn't have anything to do
with passwords.

--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
ID # 123538
Completed more W/U's than 99.154% of seti users. +/- 0.01%

 
 
 

restrict use of 'su' or 'su -'

Post by Rick Matthe » Thu, 12 Apr 2001 14:17:15




Quote:>All that does is make you have to enter the full path to the commands

Use "su -"

--
Always remember:
http://mysite.directlink.net/matthews/smiles/started.htm

 
 
 

restrict use of 'su' or 'su -'

Post by Johnny A. Solb » Thu, 12 Apr 2001 21:09:41


Quote:> Give su the wheel group permissions, then add only proper users to the wheel group.

Do what I have. Create a "su" group, & change the group to su for the /bin/su
Then add your trusted user(s) to the su group.

--
Solbu - http://move.to/johnny.solbu
Remove _SPAMBLOCK_ for email
*********************************************
PGP key ID: 0xFA687324
*********************************************