Mailinglist Archive: opensuse-security (423 mails)

< Previous Next >
Re: [suse-security] su to root
  • From: William Preston <william.preston@xxxxxxxxxxxx>
  • Date: Wed, 21 Mar 2001 18:47:53 +0100
  • Message-id: <3AB8E949.875A072@xxxxxxxxxxxx>
Egan wrote:
>
> On Wed, 21 Mar 2001 17:59:31 +0100, Thomas Haeberlen
> <Haeberlen@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> >Ahem... if a user knows the root password, why would you want to keep
> >him or her from becoming root, anyway?
>
> For a second level of protection. I think it is better if only the
> users who belong to group root can su to root.
>
> >If you restricted permissions of su, to members of the "root" group,
> >then other users would not be able to change their "id" at all
>
> That is what others have suggested, but that is a problem.
>
> >On the other hand if e.g. you set your box to allow root to log in
> >only on the console and never over the net...
>
> That's not feasible on a box in remote collocation.
>
> >but still: if you can't trust the people who know the root password to
> >use "su" correctly, then you probably shouldn't let them know the root
> >password in the first place.
>
> There is only one person who knows the root password, me. I have to
> log in remotely, most of the time with sshd, but in emergencies, with
> telnet and then su to root.
>
> I don't want other users trying su to root and guessing the password.
> It would be nice if su had that extra level of protection the way it
> did on bsdi.
>
> Egan
>

If you use pam then perhaps the pam_wheel module is what you're looking
for?

add the following to /etc/pam.d/su:

auth required pam_wheel.so



William

< Previous Next >
Follow Ups