Re: disable 'su' for normal users

From: Luciano Miguel Ferreira Rocha (strange@nsk.yi.org)
Date: 11/10/01


Date: Fri, 9 Nov 2001 23:08:10 +0000
From: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
To: bugtraq <bug@walhalla.sin.khk.be>
Subject: Re: disable 'su' for normal users
Message-ID: <20011109230810.A4699@nsk.yi.org>

On Thu, Nov 08, 2001 at 01:18:45PM +0100, bugtraq wrote:
> hello,
>
> I was wondering how one can disable the su-command for a normal user.
> Because certain programs need 'su' when linux boots, you cannot just alter
> the flags, ...
> Also it is a SETUID-prog.

Yes, you can alter the flags, for the boot scripts run as root, and then
does the su run, so it doesn't need the suid bit anymore.

Anyhow, you may change its group a permissons as to only some people
in a given group may run the program.

Eg:
# id
uid=root gid=root ...
# chgrp su /bin/su
# chmod 04750 /bin/su
# su - zbr
zbr$ id
uid=zbr gid=zbr groups=zbr,su
zbr$ su
Password: ***
su: incorrect password
zbr$ exit
# su - xpto
xpto$ id
uid=xpto gid=xpto groups=xpto
xpto$ su
/bin/su: permission denied

>
> The reason I want to disable this, is because a user does not need 'su'
> for anything. Also there has been some abuse.

Well, at least one user does need su: you, the sysadmin. You don't just
telnet/ssh directly to root, do you?

Regards,
Luciano Rocha

-- 
Luciano Rocha, strange@nsk.yi.org

The trouble with computers is that they do what you tell them, not what you want. -- D. Cohen