Re: Seeing who has su-ed

From: Brian Hatch (focus-linux@ifokr.org)
Date: 03/21/03

  • Next message: Thomas Cameron: "RE: Seeing who has su-ed"
    Date: Fri, 21 Mar 2003 09:08:05 -0800
    From: Brian Hatch <focus-linux@ifokr.org>
    To: "Klotz, Brian" <Brian_Klotz@heald.edu>
    
    
    

    > I teach a Linux basics course and each term I have the problem of students
    > who do an su to become root, then rather than exiting, they su again to go
    > back to their regular account. The trouble is identifying when someone has
    > done this (they usually don't remember). The "who" command only shows login
    > shells (AFAIK) so it does not reveal when someone has su-ed.
    >
    > Does anyone know of a way to list all of the users currently logged in,
    > including when someone has su-ed to become another user?

    Don't allow them to 'su root' but instead give them access to root
    commands using sudo. Then they'd "sudo ifconfig blahblahblah" each time
    to run ifconfig, etc, and don't get a shell from which they'd be running
    around as root itself, and wouldn't need to su back to their uid.[1]

    If you do want to allow actual 'su' then you can simply check ps to
    see what processes chains have consecutive 'su' processes. Analyzing
    'pstree' output with perl would probably be pretty easy. pstree will
    handle organizing parent and child processes, so you'd just need to
    watch to see when two su processes exist in a chain.

    This could easily be defeated as well. Someone could create a two line
    C program to setuid and exec a shell s.t. there's no 'su' process in
    the list, but I assume you're just looking to watch for casual 'su'
    overuse.

    [1] Of course you need to make sure that you lock things down well - for
    example if you allowed 'sudo vi' then someone could spawn a shell from
    vi to be at a root prompt. Locking down sudo is tough - start out very
    restrictive and add specific commands as they're needed.

    --
    Brian Hatch                  A closed mouth
       Systems and                gathers no feet.
       Security Engineer
    www.hackinglinuxexposed.com
    Every message PGP signed
    
    



  • Next message: Thomas Cameron: "RE: Seeing who has su-ed"

    Relevant Pages

    • Re: Sudo question
      ... even with Rsh ... Subject: Sudo question ... allow sudo to call a restricted shell. ... this command full root access. ...
      (AIX-L)
    • Re: root group in solaris
      ... sudo -s opens a root level shell that can be used to issue multiple ... appropriate commands. ... that could be kept if commands were issued separately prefixed with sudo. ...
      (Focus-SUN)
    • Re: hi all..
      ... and someone gets access your shell account, ... Only root can install an su binary. ... Of course, if I have sudo ...
      (Fedora)
    • Re: root shell
      ... In 'usuall' Linux-Systems you use 'su -' to gain root privileges WITH the ... Provide an environment similar to what the user would expect had ... so 'sudo -i' is the equivalent in sudo driven systems. ... The command name argument given to the shell begins with a - to ...
      (Ubuntu)
    • Re: sudo and PATH?
      ... Doesn't the shell evaluate the $PATH variable prior to executing the command? ... substitution you are still you, and not root, yet. ... using sudo, rather than using sudo to get a shell, appears to be mine. ...
      (Ubuntu)