Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
How to protect "su -" commａｎｄ．
I tried to change the /bin/su to chmod 600, deleted the "#" from "auth required /lib/security/$ISA/pam_wheel.so use_uid" of /etc/pam.d/su and add the myaccount to the "wheel:x:10:root,myaccount" of the /etc/group.
and then I login again myaccount, and try type "su -". It failed．
All general user cannot be use “su -” now!
You turned the SETUID bit off on /bin/su when you chmod'ed it to 0600 -- su needs to be able to acquire superuser priviliges, hence the need. Just do 'chmod u+s /bin/su' to fix that (or 'chmod 4600 /bin/su' if you like numeric permissions). Another problem is with those permissions it's unexecutable by anyone but root, which kind of destroys the point if you want to be able to su to root. You should probably just set the permissions back to as they were and let the PAM stuff do its magic.
That looks correct to me. You;ll need to make sure that members of the wheel group can execute su too (i.e. you can change the group of /bin/su to wheel and make it group executable, but be sure to leave the SETUID bit on).
Originally posted by treotan I know! if they don't know the pw, su command is not work! But I think this is a security issue.
That's cool! I figured it out that you see a security issue there or you wouldn't be doing this! I'm just wondering what the issue is! That's why I mentioned that they need a password to make it work! Without the password su does not function! What is the issue!? Or are you just being safe!? I'm just not aware of su providing any backdoor type functionality with failed attempts to use it!