su (-) command | Unix Linux Forums | UNIX for Advanced & Expert Users

  Go Back    


UNIX for Advanced & Expert Users Expert-to-Expert. Learn advanced UNIX, UNIX commands, Linux, Operating Systems, System Administration, Programming, Shell, Shell Scripts, Solaris, Linux, HP-UX, AIX, OS X, BSD.

su (-) command

UNIX for Advanced & Expert Users


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 09-06-2002
PzYon PzYon is offline
Registered User
 
Join Date: Sep 2002
Last Activity: 29 November 2002, 9:36 AM EST
Location: CH - Switzerland
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
su (-) command

With the su command you can switch to any user on system, if you know his password.. Example: "su - root" switches to the root user.
This way the profile of the user (here root) will be loaded and you will get the rights of root. But if you enter "su root" (without "-") you just get the rights of root, but you don't actually load his profile..
Now I need a way, so that the user can't use the command without the "-". Example: "su - root" is possible and "su root" should not be possible!
Has anybody got an idea, how I can solve this problem?
Sponsored Links
    #2  
Old 09-06-2002
Optimus_P Optimus_P is offline Forum Advisor  
flim flam flamma jamma
 
Join Date: May 2001
Last Activity: 24 March 2008, 9:43 PM EDT
Location: Chicago IL, USA
Posts: 1,006
Thanks: 0
Thanked 2 Times in 1 Post
you can restrict them from the command buy you cant restrict them from the options of the command.
Sponsored Links
    #3  
Old 09-06-2002
RTM's Avatar
RTM RTM is offline Forum Advisor  
Registered User
 
Join Date: Apr 2002
Last Activity: 3 April 2014, 2:50 PM EDT
Location: On my motorcycle
Posts: 3,092
Thanks: 1
Thanked 29 Times in 9 Posts
I can't phantom why you would want to do this.

You could set up a script or executable to replace the su command so that it gets executed instead, looks for the $1 option and if it's a - , removes it before sending the information to the real su

# mv /bin/su /bin/oldsu
# cp /mynewsu /bin/su
# su - joeuser

Your script would have to be able to receive the two parameters.
Logic would remove the -, and then run /bin/oldsu with the parameter joeuser (if there was no userid, then root).

Of course, a person that can list /bin could see the /bin/oldsu and run it directly. There would be no real way to get rid of that problem.

Your best bet would be to get sudo or some other program. Also any upgrades or patches added to the server may replace your su program.

But this could possibly be done. I have never done it but it's one idea. I wouldn't recommend it even though I put it out here.
    #4  
Old 09-06-2002
PzYon PzYon is offline
Registered User
 
Join Date: Sep 2002
Last Activity: 29 November 2002, 9:36 AM EST
Location: CH - Switzerland
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
I've just thought of that idea, after I posted here.. Thanx anyway, it works!
Sponsored Links
    #5  
Old 09-06-2002
Kelam_Magnus's Avatar
Kelam_Magnus Kelam_Magnus is offline Forum Advisor  
Registered User
 
Join Date: Aug 2001
Last Activity: 18 April 2013, 3:03 PM EDT
Location: San Antonio, TX,
Posts: 1,070
Thanks: 0
Thanked 4 Times in 4 Posts
IMHO, I think you need to restrict root access more. But that's just me.

Also, typically you don't need to use su - root. You can just type su - and this will fault to root, at least on HPUX. You only need to specify su - username for any other user besides root. Again this is my experience on HPUX.

Your answer is to alias su to su -, which you probably already figured out. You can overwrite a command by aliasing it. When you remove the alias the original command takes over again.

alias su=`su -`#syntax depends on OS version #those are backtics

Sponsored Links
    #6  
Old 09-06-2002
RTM's Avatar
RTM RTM is offline Forum Advisor  
Registered User
 
Join Date: Apr 2002
Last Activity: 3 April 2014, 2:50 PM EDT
Location: On my motorcycle
Posts: 3,092
Thanks: 1
Thanked 29 Times in 9 Posts
Kelam,

Setting a alias such as you suggest brings about a problem - if the alias is set and the user still does su -, the system will think the user wants to su - to userID - (which it then informs you does not exist).

medusa% alias su 'su -'
medusa% su
Password:
Sun Microsystems Inc. SunOS 5.8 Generic February 2000
[root@medusa]:/root
# exit
medusa% su -
su: Unknown id: -


You at least read the post more carefully than I as I thought the PzYon wanted it so they could not do su -. The logic in the script could still be done. The alias solution might work but a more intracate solution would be needed.
Sponsored Links
    #7  
Old 09-09-2002
Kelam_Magnus's Avatar
Kelam_Magnus Kelam_Magnus is offline Forum Advisor  
Registered User
 
Join Date: Aug 2001
Last Activity: 18 April 2013, 3:03 PM EDT
Location: San Antonio, TX,
Posts: 1,070
Thanks: 0
Thanked 4 Times in 4 Posts
to be perfectly in control ... script it...

something in a script would be more reliable. Then you could take whatever was entered after "su" as variables.

You would have to move the su binary somewhere out of the PATH and then create a script in the original location called "su".

Then anything after the command will be read as input which you can then force the result you want by coding it in a script.

This should be fairly easy to do probably only 20 lines or so.


My 2K anyway.

Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
passing command output from one command to the next command in cshell kaaliakahn UNIX for Dummies Questions & Answers 2 02-10-2012 04:59 PM
unix command : how to insert text at the cursor location via command line? xib.be UNIX for Advanced & Expert Users 0 12-22-2010 05:45 PM
Need help! command working ok when executed in command line, but fails when run inside a script! 4dirk1 Shell Programming and Scripting 4 12-02-2010 05:47 AM
awk command in script gives error while same awk command at prompt runs fine: Why? catalys Shell Programming and Scripting 4 09-20-2010 10:07 PM
awk/sed Command : Parse parameter file / send the lines to the ksh export command rajan_san Shell Programming and Scripting 4 11-06-2008 12:29 PM



All times are GMT -4. The time now is 09:12 AM.