Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: forcing su on a user
Top Forums UNIX for Advanced & Expert Users forcing su on a user Post 46733 by Kelam_Magnus on Thursday 22nd of January 2004 04:09:55 PM
Old 01-22-2004
On HP you can put this scripting in the /etc/profile. That is called everytime a user logs in... and is not writable by normal users other than root.


In addition you can make it an entry in /etc/hosts.allow and /etc/hosts.deny to restrict telnet and rlogin... Just put this in these files... You may need to create them if they dont exist....

Here is a great link to a config of these files...http://ezine.daemonnews.org/200206/hosts_allow.html

I also put these others in to allow only these methods of accessing my boxes....

# cat /etc/hosts.allow
#all : all : banners=/usr/localcw/opt/sysguard/banners : allow
ftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : <myuser> : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : all : banners=/usr/localcw/opt/sysguard/banners : deny
tftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
logind : all : banners=/usr/localcw/opt/sysguard/banners : allow
rlogind : all : banners=/usr/localcw/opt/sysguard/banners : deny
remshd: all : banners=/usr/localcw/opt/sysguard/banners : allow
sidftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
rexecd : all : banners=/usr/localcw/opt/sysguard/banners : allow
sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow

root:/usr/local/bin
# cat /etc/hosts.deny
# Deny all hosts
ALL : ALL






Also, on HPUX there is a security file... do a man security to read about creating it... This file you will need to create in /etc/default/security



You can also restrict who can even attempt to su to root as well... see this part of the man security...

SU_ROOT_GROUP
This parameter defines the root group name for the su
command. Refer to su(1).

SU_ROOT_GROUP=group_name The root group name is set to
the specified symbolic group name. The su command
enforces the restriction that a non-superuser must be a
member of the specified root group in order to be
allowed to su to root. This does not alter password
checking.

Default value: If this parameter is not defined or if
it is commented out, there is no default value. In
this case, a non superuser is allowed to su to root
without being bound by root group restrictions.

Last edited by Kelam_Magnus; 01-22-2004 at 05:25 PM..
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

forcing irq on PCMCIA card

ENV: linux Version: Mandrake 8.1, PCMCIA card: longshine lcs-8534TB. (supported according the PCMCIA docs) laptop is P-II lifetec /etc/sysconfig/pcmcia: PCMCIA=yes PCIC=i82365 ( found via probe -m ) PCIC_OPTS="cs_irq=11 pci_irq_list=11,11 do_scan=0" ( you see i want to force irq 11 )... (3 Replies)
Discussion started by: progressdll
3 Replies

2. Solaris

forcing users to su

Is there a way in solaris 9 to prevent a user to login via ssh, telnet, rlogin, and only be able to su as that user, for example have DBA joe blow login as jblow, and then su to oracle BUT not vice versa have DBA joe blow login as oralce (6 Replies)
Discussion started by: csaunders
6 Replies

3. Solaris

forcing password change every X days?

Hi, how do I go about forcing users to change their password every, say, 30 days? Aaron (1 Reply)
Discussion started by: amheck
1 Replies

4. UNIX for Dummies Questions & Answers

Forcing Makefile to Ignore Errors

Is there A way I can Force a makefile to ignore errors? i believe it is using gcc. i have a set of commands in the makefile that i want to run and each time the makefile gets to the point of this commands, it aborts because of the commands. how can i get the makefile to keep running... (3 Replies)
Discussion started by: SkySmart
3 Replies

5. Red Hat

Forcing a kernel panic in RHEL 5.4

Hello, Is there a way to force a kernel panic in RHEL 5.4 in such a way that the machine reboots after the panic. Thanks, Kanna (1 Reply)
Discussion started by: kanna_geekworkz
1 Replies

6. UNIX for Dummies Questions & Answers

AWK: Backslash \ and forcing output not to go onto new lines

Dear all, I am using Mac OSX, have been successfully written an awk script during the last days. I use the script to convert parts of a .dot-file into graphml code. First question: Backslash My .dot-code includes repeatedly the sign "\n". I would like to search for this sign and substitute... (4 Replies)
Discussion started by: ingli
4 Replies

7. Shell Programming and Scripting

Forcing a tty session but getting a password prompt?

I have a master host I want to use to issue some start/stop of LDAP services. I changed the client hosts /etc/sudoers to have Defaults:infra !requiretty The master host kicks off the jobs using the infra account doing a ssh session to the infra account on the clients. #!/bin/ksh ps -fu... (5 Replies)
Discussion started by: J-Man
5 Replies

8. Hardware

Forcing Linux to keep charging my Kindle

Linux seems to have weird USB power saving features, my Kindle 3 only gets some charge before Linux powers down the USB port. When the device is mounted, it doesn't get enough power, with this same hardware under Windows I don't get the message on the Kindle "currently your kindle is not... (2 Replies)
Discussion started by: John Tate
2 Replies

9. Shell Programming and Scripting

Forcing another user to run a shell script (su)

I'm trying to use su (as myuser) to force another user (theuser) to run a shell script (thescript.sh): su theuser -c /home/theuser/thescript.sh However I'm running this from another script, and it is asking for theuser's password. I would rather avoid displaying it in the file (using echo... (2 Replies)
Discussion started by: asdfgg
2 Replies

10. Programming

Forcing a write to a file without newline?

Hello, I am writing a program which runs with root privileges, and it creates a child with lowered privileges and has to redirect it's stdout and stderr to a file and then run bash. The problem is, whenever I read this file, I want to see all of the current output, even when the program is still... (10 Replies)
Discussion started by: madd-games
10 Replies

LEARN ABOUT LINUX

hosts_options

HOSTS_OPTIONS(5)						File Formats Manual						  HOSTS_OPTIONS(5)

NAME

       hosts_options - host access control language extensions

DESCRIPTION

       This document describes extensions to the language described in the hosts_access(5) document.

       The extensible language uses the following format:

	  daemon_list : client_list : option : option ...

       The  first two fields are described in the hosts_access(5) manual page.	The remainder of the rules is a list of zero or more options.  Any
       ":" characters within options should be protected with a backslash.

       An option is of the form "keyword" or "keyword value". Options are processed in the specified order. Some options are subjected	to  %<let-
       ter> substitutions. For the sake of backwards compatibility with earlier versions, an "=" is permitted between keyword and value.

LOGGING

       severity mail.info

       severity notice
	      Change  the  severity  level at which the event will be logged. Facility names (such as mail) are optional, and are not supported on
	      systems with older syslog implementations. The severity option can be used to emphasize or to ignore specific events.

ACCESS CONTROL

       allow

       deny   Grant (deny) service. These options must appear at the end of a rule.

       The allow and deny keywords make it possible to keep all access control rules within a single file, for example in the hosts.allow file.

       To permit access from specific hosts only:

	  ALL: .friendly.domain: ALLOW
	  ALL: ALL: DENY

       To permit access from all hosts except a few trouble makers:

	  ALL: .bad.domain: DENY
	  ALL: ALL: ALLOW

       Notice the leading dot on the domain name patterns.

RUNNING OTHER COMMANDS

       aclexec shell_command
	      Execute, in a child process, the specified shell command, after performing the %<letter> expansions described in the hosts_access(5)
	      manual  page.  The command is executed with stdin, stdout and stderr connected to the null device, so that it won't mess up the con-
	      versation with the client host. Example:

		 smtp : ALL : aclexec checkdnsbl %a

	      executes, in a background child process, the shell command "checkdnsbl %a" after replacing %a by the address of the remote host.

	      The connection will be allowed or refused depending on whether the command returns a true or false exit status.

       spawn shell_command
	      Execute, in a child process, the specified shell command, after performing the %<letter> expansions described in the hosts_access(5)
	      manual  page.  The command is executed with stdin, stdout and stderr connected to the null device, so that it won't mess up the con-
	      versation with the client host. Example:

		 spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &

	      executes, in a background child process, the shell command "safe_finger -l @%h | mail root"  after  replacing  %h  by  the  name	or
	      address of the remote host.

	      The  example  uses the "safe_finger" command instead of the regular "finger" command, to limit possible damage from data sent by the
	      finger server. The "safe_finger" command is part of the daemon wrapper package; it is a wrapper around the  regular  finger  command
	      that filters the data sent by the remote host.

       twist shell_command
	      Replace  the  current  process by an instance of the specified shell command, after performing the %<letter> expansions described in
	      the hosts_access(5) manual page.	Stdin, stdout and stderr are connected to the client process. This option must appear at  the  end
	      of a rule.

	      To send a customized bounce message to the client instead of running the real ftp daemon:

		 in.ftpd : ... : twist /bin/echo 421 Some bounce message

	      For an alternative way to talk to client processes, see the banners option below.

	      To run /some/other/in.telnetd without polluting its command-line array or its process environment:

		 in.telnetd : ... : twist PATH=/some/other; exec in.telnetd

	      Warning:	 in  case of UDP services, do not twist to commands that use the standard I/O or the read(2)/write(2) routines to communi-
	      cate with the client process; UDP requires other I/O primitives.

NETWORK OPTIONS

       keepalive
	      Causes the server to periodically send a message to the client.  The connection is  considered  broken  when  the  client  does  not
	      respond.	The  keepalive	option	can  be  useful  when  users  turn off their machine while it is still connected to a server.  The
	      keepalive option is not useful for datagram (UDP) services.

       linger number_of_seconds
	      Specifies how long the kernel will try to deliver not-yet delivered data after the server process closes a connection.

USERNAME LOOKUP

       rfc931 [ timeout_in_seconds ]
	      Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413) protocol.  This option is silently ignored in case of  services
	      based  on  transports  other  than TCP.  It requires that the client system runs an RFC 931 (IDENT, etc.) -compliant daemon, and may
	      cause noticeable delays with connections from non-UNIX clients.  The timeout period is optional. If no timeout is specified  a  com-
	      pile-time defined default value is taken.

MISCELLANEOUS

       banners /some/directory
	      Look  for  a file in `/some/directory' with the same name as the daemon process (for example in.telnetd for the telnet service), and
	      copy its contents to the client. Newline characters are replaced by carriage-return newline, and %<letter>  sequences  are  expanded
	      (see the hosts_access(5) manual page).

	      The tcp wrappers source code distribution provides a sample makefile (Banners.Makefile) for convenient banner maintenance.

	      Warning: banners are supported for connection-oriented (TCP) network services only.

       nice [ number ]
	      Change the nice value of the process (default 10).  Specify a positive value to spend more CPU resources on other processes.

       setenv name value
	      Place  a	(name, value) pair into the process environment. The value is subjected to %<letter> expansions and may contain whitespace
	      (but leading and trailing blanks are stripped off).

	      Warning: many network daemons reset their environment before spawning a login or shell process.

       umask 022
	      Like the umask command that is built into the shell. An umask of 022 prevents the creation of files with group and world write  per-
	      mission.	The umask argument should be an octal number.

       user nobody

       user nobody.kmem
	      Assume  the  privileges of the "nobody" userid (or user "nobody", group "kmem"). The first form is useful with inetd implementations
	      that run all services with root privilege. The second form is useful for services that need special group privileges only.

DIAGNOSTICS

       When a syntax error is found in an access control rule, the error is reported to the syslog daemon; further options will  be  ignored,  and
       service is denied.

SEE ALSO

       hosts_access(5), the default access control language

AUTHOR

       Wietse Venema (wietse@wzv.win.tue.nl)
       Department of Mathematics and Computing Science
       Eindhoven University of Technology
       Den Dolech 2, P.O. Box 513,
       5600 MB Eindhoven, The Netherlands

																  HOSTS_OPTIONS(5)
All times are GMT -4. The time now is 10:16 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy