LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 07-09-2004, 08:47 AM   #1
kj6loh
Member
 
Registered: Jun 2004
Posts: 43

Rep: Reputation: 16
limiting su root with wheel group?


Does this work? I only want to limit certain users from being able to log in to root. These other users must be able to use su, but not to root. I could use sudo, but is there a way I could do this without using sudo?

Putting people in the wheel group apparently works in FreeBSD, but I don't want to have to resort to changing my O/S.
 
Old 07-10-2004, 07:20 PM   #2
320mb
Senior Member
 
Registered: Nov 2002
Location: pikes peak
Distribution: Slackware, LFS
Posts: 2,577

Rep: Reputation: 47
In Slackware the prog is.........

sudo

when installed, there will be a script in /etc/
called sudoers that you will need to edit....!!!

Last edited by 320mb; 07-10-2004 at 07:21 PM.
 
Old 07-10-2004, 07:55 PM   #3
comp12345
Member
 
Registered: Feb 2004
Posts: 467

Rep: Reputation: 30
Edit the contents of /etc/pam.d/su and uncomment
Code:
auth	required	pam_wheel.so
There's a tutorial on some other options here:
http://www.phptr.com/articles/articl...65226&seqNum=1

Access control with su starts on page 10.
 
Old 07-11-2004, 02:08 AM   #4
kj6loh
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 16
Quote:
Originally posted by comp12345
Edit the contents of /etc/pam.d/su and uncomment
Code:
auth	required	pam_wheel.so
There's a tutorial on some other options here:
http://www.phptr.com/articles/articl...65226&seqNum=1

Access control with su starts on page 10.
Yes, but as I said elsewhere this makes su inaccessible by users not in the wheel group. I want othere users, not in the wheel group, to be able to su to users other than root.
 
Old 07-11-2004, 02:10 AM   #5
kj6loh
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 16
Quote:
Originally posted by 320mb
In Slackware the prog is.........

sudo

when installed, there will be a script in /etc/
called sudoers that you will need to edit....!!!
The point of this question was NOT to use sudo. I've installed and used sudo successfully in the past.
 
Old 07-11-2004, 08:28 AM   #6
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
look in /etc/login.defs (Slackware).

SU_WHEEL_ONLY yes
 
Old 07-11-2004, 05:27 PM   #7
kj6loh
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 16
Quote:
Originally posted by ppuru
look in /etc/login.defs (Slackware).

SU_WHEEL_ONLY yes
Problem is that most modern linuxes use the GNU su and not the one from the shadow suite (which would conform to this) oh well, another source code modification!
 
Old 07-11-2004, 05:39 PM   #8
comp12345
Member
 
Registered: Feb 2004
Posts: 467

Rep: Reputation: 30
Quote:
Originally posted by kj6loh
Yes, but as I said elsewhere this makes su inaccessible by users not in the wheel group. I want othere users, not in the wheel group, to be able to su to users other than root.
Would you at least read the article or at least find out what pam_wheel does before knocking my solution? Sheesh. I'll even make it easy for you.

The full documentation for pam_wheel can be found here:
http://www.kernel.org/pub/linux/libs...-6.html#ss6.29

From the documentation,
Code:
Overview
Only permit root access to members of the wheel (gid=0) group. 

Description
This module is used to enforce the so-called wheel group. By default,
it permits root access to the system if the applicant user is a member
of the wheel group (first, the module checks for the existence of a
'wheel' group. Otherwise the module defines the group with group-id 0
to be the wheel group).
It doesn't deny other users from using su.

Last edited by comp12345; 07-11-2004 at 05:44 PM.
 
Old 07-11-2004, 06:55 PM   #9
kj6loh
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 16
Quote:
Originally posted by comp12345
Would you at least read the article or at least find out what pam_wheel does before knocking my solution? Sheesh. I'll even make it easy for you.

The full documentation for pam_wheel can be found here:
http://www.kernel.org/pub/linux/libs...-6.html#ss6.29

From the documentation,
Code:
Overview
Only permit root access to members of the wheel (gid=0) group. 

Description
This module is used to enforce the so-called wheel group. By default,
it permits root access to the system if the applicant user is a member
of the wheel group (first, the module checks for the existence of a
'wheel' group. Otherwise the module defines the group with group-id 0
to be the wheel group).
It doesn't deny other users from using su.
Oops. My bad. I did this with the shadow password suite, which ppuru turned me on to very indirectly.
 
Old 07-11-2004, 11:03 PM   #10
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
I'm cornfused here...

If a user is allowed or denied su because of a certain group that's one thing.

However how can a user be denied to su or login as root? The username is root! So therefore would one not need the root password?

I guess there is use for it but I see no need to modify things when one knowing root's password can simply login as root to circumvent any restriction. If root's password is not known su root is futile.

Unless of course root has no login and no password.
 
Old 07-12-2004, 12:40 AM   #11
comp12345
Member
 
Registered: Feb 2004
Posts: 467

Rep: Reputation: 30
The user is only denied access if the user tries to su to the root account and is not part of the wheel group; even if he/she knows the root password. Funny thing is that the root account also fails when trying su, at least on the box I tried it on. But then if you're already logged in as root, you wouldn't need to su to root. I still find it weird though.

Last edited by comp12345; 07-12-2004 at 12:41 AM.
 
Old 07-12-2004, 01:26 PM   #12
kj6loh
Member
 
Registered: Jun 2004
Posts: 43

Original Poster
Rep: Reputation: 16
Quote:
Originally posted by comp12345
The user is only denied access if the user tries to su to the root account and is not part of the wheel group; even if he/she knows the root password.
Yes.

Quote:
Originally posted by comp12345
Funny thing is that the root account also fails when trying su, at least on the box I tried it on. But then if you're already logged in as root, you wouldn't need to su to root. I still find it weird though.
huh?

wheel group is usually 10 but both the shadow pwd suite, and I'd assume the pam soln from the docs posted above, require a member to be in group 0 which normally is not wheel. But no problem.

If you decide to take root out of the root group (gid=0), root will still be able to log back into root using the shadow suite soln (I just tried it and it works). I do not use the pam soln so I can't comment on that. If the pam soln indeed does not allow root to log back into root, I would consider that a bug, a minor one, but nonetheless.

The shadow suite can be found here:

ftp://ftp.pld.org.pl/software/shadow

Quote:
Originally posted by DavidPhillips
However how can a user be denied to su or login as root? The username is root! So therefore would one not need the root password?
Say this is a regular user, outside the operations or admin or whatever you call them department or an outside consultant. Would you want them to be able to su to root?

Quote:
Originally posted by DavidPhillips
I guess there is use for it but I see no need to modify things when one knowing root's password can simply login as root to circumvent any restriction.
You enable remote login by root?
The computer is behind a locked door and even I, as well as every sysad, have to sign the key out if I want entrance.

Quote:
Originally posted by DavidPhillips
Unless of course root has no login and no password.
And no, root does not have a null password. The password is .... ehh, tell you later.

Last edited by kj6loh; 07-12-2004 at 01:49 PM.
 
Old 07-13-2004, 11:41 PM   #13
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
Quote:
Say this is a regular user, outside the operations or admin or whatever you call them department or an outside consultant. Would you want them to be able to su to root?
No, but how could they do that without root's password?
Quote:
You enable remote login by root?
The computer is behind a locked door and even I, as well as every sysad, have to sign the key out if I want entrance.
No, but if a remote user needs to login and does then needs root access they can su to root if they know the password. If not they can't.

Guess I'm still missing the point here as I don't see how anyone who should not can su to root anyway and I don't see why if someone (like me) needs to su to root why they should not be able to.
 
Old 07-16-2004, 08:39 AM   #14
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
One way to make use of the idea of the wheel group and restricting who can su to root:

We have a large number of Linux servers and use this technique. The machines are always logged into remotely (unless a local login is required, as when sshd dies or something).

Remote login as root is prohibited. That means for an attacker to get root on the box, they must first obtain/crack a normal user account, and then attempt to guess the root password. By using wheel and restricting who can su to root, we have added another layer of security: The attacker must get the login not for just any account, but specifically for an account that has permission to su to root.

Most of these boxes are a number of web domains, each of which has an associated user account (for uploading files, etc.) It's child's play to obtain the username for these accounts; just watch until there is a PHP error, and bang, it is spelled out: Something like

PHP Error blah blah
Line 29 /home/george/public_html/index.php.

The attacker now knows that there is a user named george. With enough effort, he can probably crack george's password. If george were allowed to su to root, then the attacker only has to keep trying to guess the root password. Since george is prohinbited from using su to root, all he can do is screw with george's files.

That's just one way to use it. I see your confusion: Why restrict who can do it when the person only has to login as root? But if we are taking about remote access only, and disallowing remote login for root, then I think it may become clearer.

Hope that helped.

Last edited by zaichik; 07-16-2004 at 08:41 AM.
 
Old 07-16-2004, 09:01 PM   #15
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
I see your point, that's a good idea.

I actually have accounts that may be worth protecting this way. I do not have servers running from their home folder like that but I see what you mean.

I check my email quite often and all logins are logged. Especially failed ones.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I make it so users have to be in the wheel group to su to root? abefroman Linux - Security 7 05-02-2005 01:02 AM
disable su-wheel group Smokey Linux - Security 3 01-29-2005 04:02 AM
how do i add myself to the wheel group matneyc Linux - Software 4 01-09-2005 11:00 PM
OpenBSD 3.6 Wheel group Hcman *BSD 2 11-19-2004 01:47 AM
Group Admin, Group Root, or God over Group crickett Linux - General 5 07-12-2004 04:01 PM


All times are GMT -5. The time now is 08:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration