How to restrict the su command? Not sudo
David
I'm looking for a method to restrict usage of the su command to
specific users. On Slackware, I had an /etc/suath file where I could
specify which users were allowed to use su but that doesn't seem to
exist with RedHat (or Fedora).
I read in another message that with RedHat you could edit
/etc/security/access.conf to accomplish this. However when I looked
at the file, it appears to only be used to restrict login access.
Restrict console login, restrict remote login, etc... but I don't see
anything that lets you restrict su usage.
I also read that I could create a group ("suusers" or something like
that) and then change the file persmissions of the su command so it's
only usable by root and users in the suusers group. That might be an
option but I'm looking for something closer to the /etc/suath method.
Sybren Stüvel
> I'm looking for a method to restrict usage of the su command to specific
> users.
/etc/pam.d/su
Sybren
--
(o_ Q: God, root, what is difference?
//\ A: God can change the byte order on the CPU, root can't.
V_/_
Andrew Ho
> First off, I already know about sudo, that's not what I want.
>
> I'm looking for a method to restrict usage of the su command to
> specific users. On Slackware, I had an /etc/suath file where I could
> specify which users were allowed to use su but that doesn't seem to
> exist with RedHat (or Fedora).
Why would you want to do that? After all, when you use the 'su'
command, you still need a password.
just curious, that's all. Anyway, a thought I had was to make a group
that people had to be in to execute that command "chgrp suusers
/bin/su", and to make anyone who can use that command a part of that
group
Sybren Stüvel
> After all, when you use the 'su' command,
> you still need a password.
That's not entirely true. Read the comments in /etc/pam.d/su.
> just curious, that's all. Anyway, a thought I had was to make a group
> that people had to be in to execute that command "chgrp suusers /bin/su",
> and to make anyone who can use that command a part of that group
Using PAM (as described in my other post in this thread) is a much cleaner
way to solve the issue.
Andrew Ho
> On Tue, 18 Nov 2003 06:54:00 -0800, Andrew Ho wrote:
>
> > After all, when you use the 'su' command,
> > you still need a password.
>
> That's not entirely true. Read the comments in /etc/pam.d/su.
>
> > just curious, that's all. Anyway, a thought I had was to make a group
> > that people had to be in to execute that command "chgrp suusers /bin/su",
> > and to make anyone who can use that command a part of that group
>
> Using PAM (as described in my other post in this thread) is a much cleaner
> way to solve the issue.
>
> Sybren
Ah yes, you are right, Sybren. And from what I remember when I was
last around this group [one or two years ago], that happens a lot :)
Andrew
Sybren Stüvel
> Ah yes, you are right, Sybren. And from what I remember when I was last
> around this group [one or two years ago], that happens a lot :) Andrew
Thanx ;-)
David
> command, you still need a password.
Real simple. I don't want anyone on the system to have access to the
su command but me. Has nothing to do with needing a password or not
needing a password. For routine commands that are relatively
harmless, I use sudo with the NOPASSWD option set on a few commands.
But sometimes you need to do a series of commands all in a row. And
... A.) typing sudo in front of all those commands is annoying. and
B.) giving an ordinary user account (even if he's the admin) access to
all those commands via sudo goes against my own personal
administrative philosophy.
I'm not asking you to agree with the way I want to do my work. You
are welcome to administrate your system however you see fit.
> Anyway, a thought I had was to make a group
> that people had to be in to execute that command "chgrp suusers
> /bin/su", and to make anyone who can use that command a part of that
> group
I think I covered that option in my original post. "I also read that
Sybren Stüvel
> I think I covered that option in my original post. "I also read that I
> could create a group ("suusers" or something like that) and then change
> the file persmissions of the su command so it's only usable by root and
> users in the suusers group. That might be an option but I'm looking for
> something closer to the /etc/suath method."
Try my suggestion from somewhere else in this thread.
Jacob Westenbach
news:518783f3.03111...@posting.google.com...
Another approach is to add the desired users to the wheel group and chown
the specific apps to be root.wheel. This is a tedious PITA if there are
very many apps or users involved.
JW
test
path and put it in a path that only root can assess or you ,, this mean
updating you .profile pending of which shell you are running this may mean
to modify the path in your proper .profile equivalent file
Good luck
Marc
"Jacob Westenbach" <west...@yahoo.com> wrote in message
news:vnNub.5345$Vs1....@twister.austin.rr.com...
Sybren Stüvel
> on suggestion if I may, why don't you remove the su command from the
> default path and put it in a path that only root can assess or you ,, this
> mean updating you .profile pending of which shell you are running this may
> mean to modify the path in your proper .profile equivalent file
Because editing /etc/pam.d/su is much easier. Pam is made so you can
easily edit authentication permissions. By using it, you also make sure
nobody bypasses your suggestion by uploading another su program.