Re: disable 'su' for normal users

• Previous message: Steffen Dettmer: "Re: snmp & security"
• Maybe in reply to: Luciano Miguel Ferreira Rocha: "Re: disable 'su' for normal users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 15 Nov 2001 15:11:13 -0500
From: "Michael H. Warfield" <mhw@wittsend.com>
To: Jose Nazario <jose@biocserver.BIOC.cwru.edu>
Subject: Re: disable 'su' for normal users
Message-ID: <20011115151113.A32366@alcove.wittsend.com>

On Fri, Nov 09, 2001 at 06:02:26PM -0500, Jose Nazario wrote:

> someone will point out how to use PAM to do this, i hope. i don't know a
> whole lot of PAM so i wont comment on it. however, a cheap and simple way
> to do it is this:

        From the file "/etc/pam.d/su":

# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/pam_wheel.so use_uid

        So if you have those lines, uncomment the indicated line. If you
don't have those lines in /etc/pam.d/su then add the indicated line.

> # chgrp wheel /bin/su
> # chmod o-rwx /bin/su

> now if people are in 'wheel', the group, they can su. no muss, no fuss. it
> should look something like this:

> $ ls -l /bin/su
> -rwsr-x--- 1 root wheel 12288 Mar 2 2001 /bin/su*

> enjoy. this allows you to have trusted users in the wheel group who can do
> symtemly things ...

> ____________________________
> jose nazario jose@cwru.edu
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> PGP key ID 0xFD37F4E5 (pgp.mit.edu)

        Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

• Previous message: Steffen Dettmer: "Re: snmp & security"
• Maybe in reply to: Luciano Miguel Ferreira Rocha: "Re: disable 'su' for normal users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: PAM and wheel issues ... So I guess were screwed until redhat get their pam rpm's sorted. ... Subject: PAM and wheel issues ... CONFIDENTIALITY NOTICE ... (RedHat) Re: If you used Linux before why did you switch to FreeBSD? ... GNU su CAN check for the wheel group using PAM. ... You can't duplicate the iff ... that su can be used for other things than becoming root). ... (comp.unix.bsd.freebsd.misc) Re: Cant "su" ... > Using Redhat 6 with PAM. ... I have added my username to "wheel" group. ... (comp.os.linux.security) Re: HELP: Cant "su" ... > Using Redhat 6 with PAM. ... I have added my username to "wheel" group. ... > can't su, I got "incorrect password". ... (comp.os.linux.security) Re: disable su for normal users ... disable 'su' for normal users ... which is 'wheel' group requirements. ... If you strip the suid bit from su, then only root can use it. ... Setup sudo to allow access to su for particular userand ... (Focus-Linux)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint