Re: disable 'su' for normal users

From: Vincent Danen (vdanen@freezer-burn.org)
Date: 11/10/01 

Date: Fri, 9 Nov 2001 17:34:39 -0700
From: Vincent Danen <vdanen@freezer-burn.org>
To: Jose Nazario <jose@biocserver.BIOC.cwru.edu>
Subject: Re: disable 'su' for normal users
Message-ID: <20011109173439.E4205@mandrakesoft.com>

On Fri Nov 09, 2001 at 06:02:26PM -0500, Jose Nazario wrote:

> On Thu, 8 Nov 2001, bugtraq wrote:
>
> > I was wondering how one can disable the su-command for a normal user.
>
> GNU derived 'su', which is typically found on Linux, doesn't enforce what
> every other UNIX does, which is 'wheel' group requirements. this is for
> poilitical/philosophical reasons.
>
> someone will point out how to use PAM to do this, i hope. i don't know a
> whole lot of PAM so i wont comment on it. however, a cheap and simple way
> to do it is this:
>
> # chgrp wheel /bin/su
> # chmod o-rwx /bin/su
>
> now if people are in 'wheel', the group, they can su. no muss, no fuss. it
> should look something like this:
>
> $ ls -l /bin/su
> -rwsr-x--- 1 root wheel 12288 Mar 2 2001 /bin/su*
>
> enjoy. this allows you to have trusted users in the wheel group who can do
> symtemly things ...

Your other option (and one I prefer), is to use sudo as a "frontend"
to su. If you strip the suid bit from su, then only root can use it.
Setup sudo to allow access to su (as root) for particular user(s) and
then you don't have to worry about this wheel thing.

This is my preferred solution, at any rate. This way anyone can still
try to use su, and even if they know the root (or other user's)
passwords, they can't actually do the su because it is not setuid. 

-- 
vdanen@mandrakesoft.com, OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD
 - Danen Consulting Services    www.danen.net, www.freezer-burn.org
 - MandrakeSoft, Inc. Security  www.linux-mandrake.com

Current Linux kernel 2.4.8-31.1mdk uptime: 11 days 2 hours 16 minutes.

Relevant Pages

  • Re: Help with sudoers and wheel - "Old Guy" or anyone?
    ... (I am root on my home systems, and have "root" user accounts at work, ... Notice - no permissions for normal users to run. ... members of the 'wheel' group could run those commands. ... >Use halt, reboot, shutdown, mount, and tcpdump commands. ...
    (comp.os.linux)
  • Re: Windows 2008 domain admin has no rights
    ... When I remove the permission for normal users and leave everything ... have NO ACCESS to open the root directory of the D: ... administrator/domain administrator account all domain admins are ... option for configuration of the UAC. ...
    (microsoft.public.windows.server.general)
  • Re: Language families
    ... descended from the same root. ... two 'wheel' roots, ... general very easily distinguished from inherited words. ... distinguish *medieval* borrowings from Latin from ...
    (sci.lang)
  • Re: Windows 2008 domain admin has no rights
    ... When I remove the permission for normal users and leave everything ... have NO ACCESS to open the root directory of the D: ... the right pane you will find a detailed option for configuration of the UAC. ... I have found those options and indeed I can disable the UAC altogether for the domain admins but... ...
    (microsoft.public.windows.server.general)
  • RE: Root access loggin
    ... commands with sudo assume that the user actually knows what commands ... Sudo wouldn't be any help here cause I would need to pre approve commands ... You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. ...
    (freebsd-questions)