[opensuse] limiting users who can use su
Hello, Is there a way to control which user accounts can use 'su' when using ssh? I want only a couple of users to be able to change to root when using ssh. Thank you, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 14 November 2007 11:50, James D. Parra wrote:
Hello,
Is there a way to control which user accounts can use 'su' when using ssh? I want only a couple of users to be able to change to root when using ssh.
You shouldn't be giving out your system's root password to this class of user. Instead, configure the "sudo" command to permit those users you wish to have administrative capabilities to be to use it (sudo) to get root privilege. Sudo has other more refined capabilities (e.g., I think you can limit the commands available to a given user via sudo).
Thank you,
James
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
You shouldn't be giving out your system's root password to this class of user.
Its not a matter of giving root passwords to people, its a matter of increasing tightness in the security. If one doesnt need sudo, one doesnt need sudo. Sudo is not the holy grail solution of everything (despite what some other distros think...). There is a whole lot more things to be set instead of worrying about sudo, which people dont care at all (like pam, limits,conf, etc). Marcio --- druid -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
chown /bin/su binary so it can be only executed by people in a certain
group (by tradition, its usually called wheel group)
Somewhere in this url it sasy how:
http://www.cromwell-intl.com/security/linux-hardening.html
On Nov 14, 2007 5:50 PM, James D. Parra
Hello,
Is there a way to control which user accounts can use 'su' when using ssh? I want only a couple of users to be able to change to root when using ssh.
Thank you,
James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Nov 14, 2007 5:57 PM, Druid
chown /bin/su binary so it can be only executed by people in a certain group (by tradition, its usually called wheel group)
Somewhere in this url it sasy how: http://www.cromwell-intl.com/security/linux-hardening.html
Actually you would want to add a line in /etc/permissions file, so it woudlnt be reverted by any chance Marcio -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 14 November 2007 20:50:40 James D. Parra wrote:
Hello,
Is there a way to control which user accounts can use 'su' when using ssh? I want only a couple of users to be able to change to root when using ssh.
Unfortunately, Richard Stallman wants everyone who can log in to a machine to have root access (see the end comment in "info:su"), so there is no built-in way in su of doing this What you can do is to change the ownership of /bin/su to the group "wheel", change the permissions on it to 4750, and add the users you want to have access to the wheel group Or, alternatively, you can remove access to su completely, and use sudo instead, which does allow more fine grained control, through /etc/sudoers Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James D. Parra wrote:
Hello,
Is there a way to control which user accounts can use 'su' when using ssh? I want only a couple of users to be able to change to root when using ssh.
Don't use su... use sudo. that way, you can control EXACTLY which commands they can run (for example, that way, a user can't go and delete some other user's account, or make his own "extra" account, or any other item from an unending list of mayhem). There's a reason that YOU are the administrator and they aren't. Therefore, they have no business being allowed to su to root when sudo is available for ue. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
James D. Parra wrote:
Hello,
Is there a way to control which user accounts can use 'su' when using ssh? I want only a couple of users to be able to change to root when using ssh.
Don't use su... use sudo.
that way, you can control EXACTLY which commands they can run (for example, that way, a user can't go and delete some other user's account, or make his own "extra" account, or any other item from an unending list of mayhem).
There's a reason that YOU are the administrator and they aren't. Therefore, they have no business being allowed to su to root when sudo is available for ue.
What I have done, is create a sudo directory for a user, where they have rights to everything in it. I then create a symlink from that directory to the executable. Though I haven't done it, I believe you can also assign sudo rights to groups and then make a user a member of that group. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Aaron Kulkis
-
Anders Johansson
-
Druid
-
James D. Parra
-
James Knott
-
Randall R Schulz