LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-29-2011, 08:26 PM   #1
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 610

Rep: Reputation: 30
Question Limit "su" usage to only 1 user account


I've noticed that "su" can be run from any user account so long as the user knows the root password. What if I want to limit the ability to "su" to only 1 user account?

For example: Pretend my desktop has 4 different user accounts. Currently each user account could run "su" for root access if the person sitting in front of the screen knows the password.

My questions:

1) Could I somehow make only 1 of the 4 user accounts able to "su" into root mode?

2) If yes, then would doing so have any side-effects?

Thank you.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 04-29-2011, 08:48 PM   #2
jthill
Member
 
Registered: Mar 2010
Distribution: Arch
Posts: 211

Rep: Reputation: 67
You want "sudo", which lists who can do what in /etc/sudoers and /etc/sudoers.d. Don't let the manpage scare you, look at the examples towards the end or google for them.

sudo bash (or your preferred shell) works just as well as su.
 
Old 04-29-2011, 08:50 PM   #3
vtel57
Member
 
Registered: Jul 2006
Location: VPN Tunnel, USA
Distribution: Slackware64
Posts: 917

Rep: Reputation: 105Reputation: 105
Not to my knowledge. ROOT = GOD on Unix/Linux systems. Once a user knows the root password, the only way to limit that user is to change the password. You can set the users on your system up to use sudo instead. It's a much better way to allow temp root privileges for certain users.

EDIT: jthill beat me by a minute or two.

Last edited by vtel57; 04-29-2011 at 08:51 PM.
 
Old 04-29-2011, 08:56 PM   #4
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
In addition to what jthill said I would add that your first problem is that unauthorized people know the root password.

You can remedy this problem as jthill said by using sudo. That way you put the name of the authorized user account into the /etc/sudoers file and that person only needs to know their own password to do whatever they need to do that requires privileges. This way you don't share the root password with anyone and the authorized person cannot tell others the root password.

It's not a fool proof system but it is better than telling one person the root password and then that person shares the password with unauthorized people, if that is what is happening.
 
Old 04-30-2011, 08:16 AM   #5
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 1,792

Rep: Reputation: 618Reputation: 618Reputation: 618Reputation: 618Reputation: 618Reputation: 618
To add to what was said above, the sequence is this:
1. install sudo,
2. configure sudo so the user who need root access can get it using sudo
3. Educate the sudo user about the sudo command needed to do the job
4. change the root password to something NO ONE ELSE KNOWS
5. wait for the panic calls from the users who should never have had root access, complaining that it went away.

If you do not change the root password AND keep the new one secret, you will not have solved the problem.

This takes some chops. If you own the machine, this is no problem. If you have a boss, if those who just lost root authority complain to the boss that they can no longer work because of the change he MAY order you to reverse this! You need to have informed him about what you are doing and have his support FIRST in this case. If you have no boss or ARE the boss, get it done yesterday.

Been there, done that, buried the melted phone beside the parking lot in an unmarked grave. (But made the new policy stick, and improved uptime by a 9!)
 
Old 04-30-2011, 09:10 AM   #6
markush
Senior Member
 
Registered: Apr 2007
Location: Germany
Distribution: Slackware
Posts: 3,979

Rep: Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850
Quote:
Originally Posted by MBA Whore View Post
I've noticed that "su" can be run from any user account so long as the user knows the root password....
Quote:
Originally Posted by vtel57
... ROOT = GOD on Unix/Linux systems. Once a user knows the root password, the only way to limit that user is to change the password...
both is not true. You can configure the su command in a way that only members of the group wheel are permitted to become root via su. Add the option "SU_WHEEL_ONLY yes" to your /etc/login.defs file.

Note that configuring for sudo (which is a very good solution) does not prevent anyone from using su to become root. So consider to do both (restrict su and configure sudo).

Markus

Last edited by markush; 04-30-2011 at 09:13 AM.
 
2 members found this post helpful.
Old 04-30-2011, 12:44 PM   #7
vtel57
Member
 
Registered: Jul 2006
Location: VPN Tunnel, USA
Distribution: Slackware64
Posts: 917

Rep: Reputation: 105Reputation: 105
Quote:
Originally Posted by markush View Post
both is not true. You can configure the su command in a way that only members of the group wheel are permitted to become root via su. Add the option "SU_WHEEL_ONLY yes" to your /etc/login.defs file.
Couldn't any user defeat the SU_WHEEL_ONLY option by just logging in as root? In other words, logout of the system completely and then login as:

username: root
pw: <root password>


I still say the root password makes anyone GOD on a Linux system. Am I wrong?
 
Old 04-30-2011, 12:51 PM   #8
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by vtel57 View Post
Couldn't any user defeat the SU_WHEEL_ONLY option by just logging in as root? In other words, logout of the system completely and then login as:

username: root
pw: <root password>


I still say the root password makes anyone GOD on a Linux system. Am I wrong?
In principle, one could disable ssh root logins and lock the machine up somewhere (no console access) and turn off all other remote login services so that people could only login via ssh. Then people could not login directly as root (at least not in any way I could think of -- /bin/login appears to require root privs already to work). Still, the point remains that untrusted users having the root password is a very bad thing. Still, a good reason to disable su is so that even trusted users have to use sudo, which provides much more fine grained access control.
 
Old 04-30-2011, 01:09 PM   #9
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Since the real problem is that other users know the root password, the first step should be to change the root password.
You can configure sudo to use the users password instead of the target password (root's password) to allow trusted regular users to run some root commands but not learn the root password.

If you don't lock down the sudo configuration, users can get around it by running "sudo /bin/bash" or a shell escape in vim, but the first command would be logged, and they would have to remember to edit the log.

If the regular users only need to do things like mount external drives, and eject media, instead of giving them sudo access, consider using PolicyKit instead.
Look at the "polkit-auth" command or the KDE/Gnome policy editors.
 
Old 04-30-2011, 02:44 PM   #10
MTK358
LQ 5k Club
 
Registered: Sep 2009
Posts: 6,443
Blog Entries: 3

Rep: Reputation: 721Reputation: 721Reputation: 721Reputation: 721Reputation: 721Reputation: 721Reputation: 721
Quote:
Originally Posted by MBA Whore View Post
I've noticed that "su" can be run from any user account so long as the user knows the root password. What if I want to limit the ability to "su" to only 1 user account?
Why did you tell the other users the root password, then? That's the whole point of a password: if you know it, you can get in.

Change the password and tell it only to the people who you want to be able to log in as root.
 
Old 04-30-2011, 02:51 PM   #11
Arcane
Member
 
Registered: May 2006
Location: Latvia, Europe
Distribution: random
Posts: 303

Rep: Reputation: 233Reputation: 233Reputation: 233
Isn't it easier to set permissions?
Quote:
Originally Posted by vtel57 View Post
{...}I still say the root password makes anyone GOD on a Linux system. Am I wrong?
To be honest yes wrong..GOD is person who has physical access to computer not root password knowing..
 
Old 04-30-2011, 03:27 PM   #12
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 610

Original Poster
Rep: Reputation: 30
Hmmm - so based upon these replies - it might be possible to limit "su" to just one user, but would everyone agree that adopting the "sudo" instead of "su" approach be easier?
 
Old 04-30-2011, 03:31 PM   #13
markush
Senior Member
 
Registered: Apr 2007
Location: Germany
Distribution: Slackware
Posts: 3,979

Rep: Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850
If you mean configuring sudo instead of giving the root-password to other persons, then the sudo approach is better.

Markus
 
Old 05-01-2011, 12:12 AM   #14
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 610

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by markush View Post
If you mean configuring sudo instead of giving the root-password to other persons, then the sudo approach is better.

Markus


Yes, that is what I meant. Thank you all for your help. I will see if I can mark this "solved".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Hardening security: limit "ps" outputs to current user only? wickedcracker Linux - Security 2 03-27-2010 03:31 PM
New user first login attempt gets "Account locked. Maximum attempts reached" p3t0rt Linux - Newbie 2 07-21-2009 05:40 PM
"To add a new user account, log in to the root account" how do i do this (im new) pierce77x Linux - Newbie 4 12-28-2008 03:44 PM
Root can log on, user account can't. "Error in service module" Charlie Spencer Linux - Newbie 3 09-13-2006 02:35 PM
Two problem about "using pam to limit user login" coolend Linux - General 3 06-04-2004 02:11 PM


All times are GMT -5. The time now is 05:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration