Re: Seeing who has su-ed
From: Brian Hatch (email@example.com)
Date: Fri, 21 Mar 2003 09:08:05 -0800 From: Brian Hatch <firstname.lastname@example.org> To: "Klotz, Brian" <Brian_Klotz@heald.edu>
> I teach a Linux basics course and each term I have the problem of students
> who do an su to become root, then rather than exiting, they su again to go
> back to their regular account. The trouble is identifying when someone has
> done this (they usually don't remember). The "who" command only shows login
> shells (AFAIK) so it does not reveal when someone has su-ed.
> Does anyone know of a way to list all of the users currently logged in,
> including when someone has su-ed to become another user?
Don't allow them to 'su root' but instead give them access to root
commands using sudo. Then they'd "sudo ifconfig blahblahblah" each time
to run ifconfig, etc, and don't get a shell from which they'd be running
around as root itself, and wouldn't need to su back to their uid.
If you do want to allow actual 'su' then you can simply check ps to
see what processes chains have consecutive 'su' processes. Analyzing
'pstree' output with perl would probably be pretty easy. pstree will
handle organizing parent and child processes, so you'd just need to
watch to see when two su processes exist in a chain.
This could easily be defeated as well. Someone could create a two line
C program to setuid and exec a shell s.t. there's no 'su' process in
the list, but I assume you're just looking to watch for casual 'su'
 Of course you need to make sure that you lock things down well - for
example if you allowed 'sudo vi' then someone could spawn a shell from
vi to be at a root prompt. Locking down sudo is tough - start out very
restrictive and add specific commands as they're needed.
-- Brian Hatch A closed mouth Systems and gathers no feet. Security Engineer www.hackinglinuxexposed.com Every message PGP signed
- application/pgp-signature attachment: stored