Visit Our UNIX and Linux User Community


restriction of the "su" command


 
Thread Tools Search this Thread
Special Forums Cybersecurity restriction of the "su" command
# 1  
Old 11-03-2001
restriction of the "su" command

There's a feature I reall ylike in FreeBSD that's I haven't seen implemented in Solaris.

In FreeBSD you can only "su" if you are part of the 'wheel' group... this isn't the case with my Solaris box.

I want to know how I can set my solaris box so that only people who are part of the 'sysadmin' group (of if I have to make a wheel group) are the only ones able to "su" to root.
# 2  
Old 11-04-2001
Hi xyyz,
You could lock down the actual binary and only give execute permissions to what ever group you want. For example, below you said you have a sysadmin group. You could do this to su:

chown root:sysadmin su
chmod 550 su

I don't know what side effects there could be from doing this as I haven't tried it. Default perms on my box are -r-sr-xr-x, which kind of implies that there may be a reason everyone has execute by default.

If that doesn't work for you there is always pam or sudo.
TioTony
# 3  
Old 11-04-2001
The su program needs to have its effective uid set to zero as it runs. Changing the permissions to 550 creates an su program that only root can use. You need to do:
chmod 4550 su
if you're going to do this. And you could create a wheel group while you're at it. This is how bsd did it. They just create the wheel group, set the su program to be group wheel and the mode to be 4550.
# 4  
Old 11-06-2001
Hi,

If your version of su is PAM enabled then you could enable the wheel group module in the /etc/pam.d/su config file.

I can't recall the precise syntax but I't may be that the line need uncommenting to allow this feature to work.

Andy.
# 5  
Old 11-09-2001
If you are using Solaris, go in and set a File access control list on the su command and give the execute permissions to the group 14. this is the easiest way to do the restrictions you want to.

hope this helps.
Michael

Previous Thread | Next Thread
Test Your Knowledge in Computers #544
Difficulty: Medium
Using global variables is generally considered a best practice in modern programming languages..
True or False?

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Bash script - Print an ascii file using specific font "Latin Modern Mono 12" "regular" "9"

Hello. System : opensuse leap 42.3 I have a bash script that build a text file. I would like the last command doing : print_cmd -o page-left=43 -o page-right=22 -o page-top=28 -o page-bottom=43 -o font=LatinModernMono12:regular:9 some_file.txt where : print_cmd ::= some printing... (1 Reply)
Discussion started by: jcdole
1 Replies

2. UNIX for Dummies Questions & Answers

Using "mailx" command to read "to" and "cc" email addreses from input file

How to use "mailx" command to do e-mail reading the input file containing email address, where column 1 has name and column 2 containing “To” e-mail address and column 3 contains “cc” e-mail address to include with same email. Sample input file, email.txt Below is an sample code where... (2 Replies)
Discussion started by: asjaiswal
2 Replies

3. UNIX for Dummies Questions & Answers

Unix "look" Command "File too large" Error Message

I am trying to find lines in a text file larger than 3 Gb that start with a given string. My command looks like this: $ look "string" "/home/patrick/filename.txt" However, this gives me the following message: "look: /home/patrick/filename.txt: File too large" So, I have two... (14 Replies)
Discussion started by: shishong
14 Replies

4. Shell Programming and Scripting

awk command to replace ";" with "|" and ""|" at diferent places in line of file

Hi, I have line in input file as below: 3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL My expected output for line in the file must be : "1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL" Can someone... (7 Replies)
Discussion started by: shis100
7 Replies

5. UNIX for Dummies Questions & Answers

the meaning of "!:*" in "alias foo 'command\!:*' filename"

Hi: How can I remove my own post? Thanks. (2 Replies)
Discussion started by: phil518
2 Replies

6. Shell Programming and Scripting

Command Character size limit in the "sh" and "bourne" shell

Hi!!.. I would like to know what is maximum character size for a command in the "sh" or "bourne" shell? Thanks in advance.. Roshan. (1 Reply)
Discussion started by: Roshan1286
1 Replies

7. UNIX for Advanced & Expert Users

Command Character size limit in the "sh" and "bourne" shell

Hi!!.. I would like to know what is maximum character size for a command in the "sh" or "bourne" shell? Thanks in advance.. Roshan. (1 Reply)
Discussion started by: Roshan1286
1 Replies

8. UNIX for Dummies Questions & Answers

Command Character size limit in the "sh" and "bourne" shell

Hi!!.. I would like to know what is maximum character size for a command in the "sh" or "bourne" shell? Thanks in advance.. Roshan. (1 Reply)
Discussion started by: Roshan1286
1 Replies

9. UNIX for Dummies Questions & Answers

how to install "source" command!/ broken "login.cl"!

Hello, I am new to this forums and this is my first "asking help" message! i have 2 problems: 1- for unknown reasons the "source" command is not avalable in my system (UBUNTU). i can't either see it in my bin directory! 2- again for unknown reasons the "login.cl" file in the home... (0 Replies)
Discussion started by: astrosona
0 Replies

10. UNIX for Advanced & Expert Users

The "PS" command was displaying*terminals named as "SYSCON"

Hi, When typing the command ps -fe.the system is showing a process called SYSCON:confused:.... I am not sure what process is that.I hava a script that kills all command staring with 'sys' but i don't want to kill syscon:( since i think it is some system process:confused: .Please help me to find... (1 Reply)
Discussion started by: kiranjose85
1 Replies

Featured Tech Videos