RE: Solaris, Sudo, and locking the root account

From: Fredrik Pettai (fredrik.pettai@copper.se)
Date: 09/28/01 

Message-ID: <67CD8E4253F9D41182BB0002B3151E5A1CBA7E@QUEENS>
From: Fredrik Pettai <fredrik.pettai@copper.se>
To: 'Gordon Ewasiuk' <gewasiuk@gnmc.net>, focus-sun@securityfocus.com
Subject: RE: Solaris, Sudo, and locking the root account
Date: Fri, 28 Sep 2001 21:03:32 +0200

I think its unnessessary to take that action (atleast on ALL machines)
Instead you could do the following to make all administrators use sudo

1. Edit the /etc/default/login (& /etc/default/su) and change the line:

        CONSOLE=/dev/console

to look like this:

        CONSOLE=-

This remove the possibility to direct root logins. All users have to login
as a normal users first, in order to become root...
(I have not tested this in single-user mode, so i dont know if its possible
to give the root password in case of an abnormal shutdown and a dirty
filesystem that needs a manual fsck pass.)

2. Change group on /sbin/su.static and /usr/bin/su to root or a custom "new"
group.

for example, i do like this:

        groupadd -g 13 sugroup
        chgrp sugroup /sbin/su.static /usr/bin/su
        chmod 0550 /sbin/su.static
        chmod 4550 /usr/bin/su

or just:

        chgrp root /sbin/su.static /usr/bin/su
        chmod 0550 /sbin/su.static
        chmod 4550 /usr/bin/su

(or remove them completely...)

This will make only root & members of sugroup to be able to run su.

3. Create /etc/shells and /etc/ftpusers files

The /etc/shells should _not_ contain roots shell (/sbin/sh)
The /etc/ftpusers should contain atleast root user

This will make it hard to access the root-account thought another way than
thought sudo...
Of course, this isnt as secure as a NP in the shadowfile, but this machine
will probably be easier to maintain (once all changes has been done)...

What do you think?

(and yes, English is not my native language...)

/P