Hi everybody! I guess there is a easy possibility to allow the command 'su' only to a small group of users. Perhaps someone of you can send me a hint! Thank you very much! GSK
-----Original Message----- From: Gero Schmidt-Kärst [mailto:gsk@mobnets.rwth-aachen.de] Sent: 08 March 2004 15:28 To: suse-security@suse.com Subject: [suse-security] allow 'su' to limited users
Hi everybody!
I guess there is a easy possibility to allow the command 'su' only to a small group of users. Perhaps someone of you can send me a hint!
Even better, use sudo to allow certain users to execute certain commands. See `man sudo` and `man sudoers`. The old way of limiting su access was to add users to the "wheel" group. Use pam_wheel? http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.29 Tom.
Hello, Generally, making a user part of the 'wheel' group will allow the su command. So, adding/removing a user from the 'wheel' group should be able to solve your problem. More information can be found by typing: man sudoers [/etc/sudoers] Regards, Alin. Gero Schmidt-Kärst wrote:
Hi everybody!
I guess there is a easy possibility to allow the command 'su' only to a small group of users. Perhaps someone of you can send me a hint!
Thank you very much!
GSK
-- Alin DOBRE Technical Support Engineer - RAV Division mailto:alin.dobre@ravantivirus.com Tel./Fax: +40-21-321.78.03 Hotline: +40-21-321.78.59; http://www.ravantivirus.com Worry less! RAV is watching. --------------------------- This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake please let us know by reply and then delete it from your system; you should not copy the message or disclose its contents to anyone.
On Mon, Mar 08, 2004 at 04:27:46PM +0100, Gero Schmidt-K?rst wrote:
I guess there is a easy possibility to allow the command 'su' only to a small group of users. Perhaps someone of you can send me a hint!
Yep: * add the users to the group 'wheel': usermod -G wheel tom usermod -G wheel dick usermod -G wheel harry * change the group and permissions on /bin/su so that it can only be accessed by members of the group 'wheel' chgrp wheel /bin/su chmod 4750 /bin/su I picked the group 'wheel' since this is what, historically, Unix systems have used for this function. Cheers, Paul. -- Paul Dwerryhouse | PGP Key ID: Amsterdam, The Netherlands (X) <-> Melbourne, Australia ( ) | 0x6B91B584
Paul Dwerryhouse wrote:
* change the group and permissions on /bin/su so that it can only be accessed by members of the group 'wheel'
chgrp wheel /bin/su chmod 4750 /bin/su
You should also update /etc/permissions.local to include the new permissions of /bin/su. Add the line /bin/su root.wheel 4750 to the file /etc/permissions.local. Otherwise YaST could reverse your changes. Regards Stefan Nordhausen
And there is one essential final step as well: add a line /bin/su root.wheel 4750 to /etc/permissions.local. Otherwise your security change will disappear at some random time in the future (next time SuSEconf runs). See /etc/sysconfig/security for more information about this mechanism. Bob On Mon, 8 Mar 2004, Paul Dwerryhouse wrote:
On Mon, Mar 08, 2004 at 04:27:46PM +0100, Gero Schmidt-K?rst wrote:
I guess there is a easy possibility to allow the command 'su' only to a small group of users. Perhaps someone of you can send me a hint!
Yep:
* add the users to the group 'wheel':
usermod -G wheel tom usermod -G wheel dick usermod -G wheel harry
* change the group and permissions on /bin/su so that it can only be accessed by members of the group 'wheel'
chgrp wheel /bin/su chmod 4750 /bin/su
I picked the group 'wheel' since this is what, historically, Unix systems have used for this function.
Cheers,
Paul.
-- Paul Dwerryhouse | PGP Key ID: Amsterdam, The Netherlands (X) <-> Melbourne, Australia ( ) | 0x6B91B584
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Gero Schmidt-Kärst wrote:
Hi everybody!
I guess there is a easy possibility to allow the command 'su' only to a small group of users. Perhaps someone of you can send me a hint!
hint: man sudo
Thank you very much!
GSK
-- Until later, Geoffrey Registered Linux User #108567 Building secure systems inspite of Microsoft
participants (7)
-
Alin Dobre -
Bob Vickers -
Geoffrey -
Gero Schmidt-Kärst -
nordi -
Paul Dwerryhouse -
Tom Knight