RE: [opensuse] limiting users who can use su
14 Nov
2007
14 Nov
'07
21:30
On Wed, 2007-11-14 at 12:03 -0800, James D. Parra wrote:
-----Original Message----- From: Druid [mailto:marcio.ferreira@gmail.com] Sent: Wednesday, November 14, 2007 11:57 AM To: opensuse@opensuse.org Subject: Re: [opensuse] limiting users who can use su
chown /bin/su binary so it can be only executed by people in a certain group (by tradition, its usually called wheel group)
Somewhere in this url it sasy how: http://www.cromwell-intl.com/security/linux-hardening.html
On Nov 14, 2007 5:50 PM, James D. Parra <Jamesp@musicreports.com> wrote:
Hello,
Is there a way to control which user accounts can use 'su' when using ssh? I want only a couple of users to be able to change to root when using ssh.
Perfect. Thank you. This is the kind of response I needed. For internal reasons, that I don't wish to go into here, there are uses who get the root passwd from other users 'just becuase they needed to'. Again, I don't want to go into details, however the above response will help be me get around this problem.
>I see some contradictions to what you say here. In your original post,
>you mentioned you did not want people to su from ssh. The solution
>presented limits su whether via ssh or on the machine physically.
>So if you're saying strictly limit su in an SSH situation, but allow in
>a physical situation, you haven't resolved the problem.
No contradiction, just added info. Users login via ssh. The subject line is
the topic; that is, limiting users who can us 'su'. Just wanted to be brief
in the post.
>The other issue here is that internally, you have people giving out
>root's password. Root constantly gets compromised when you do that.
>When something went wrong because "root" did something, how do you know
>which user actually played as "root"? A better solution would be to
>create a user or set of users who is a member of the root group.
I know all about the problems about who should and should not get the root
password, but real world situations in corporations have their own corporate
politics. What is supposed to happen and the way things actually occur do
not always match best practices. My question and the answers received
suggesting putting specific users in the 'wheel' group was what was helpful.
If I can't change peoples' behavior, I can at least chmod the permissions
for 'su'.
>On the other hand, if you hand out root's password to everyone, and say
>someone in the company has been fired, [....]
Not everyone has the root password and that was not the question. However, I
do appreciate your suggestions about using keys for ssh.
Thank you,
~James
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org
--
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org
6278
Age (days ago)
6278
Last active (days ago)
0 comments
1 participants
participants (1)
-
James D. Parra