LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-18-2004, 11:56 AM   #1
treotan
Member
 
Registered: Jun 2004
Posts: 126

Rep: Reputation: 15
Unhappy protect su command


How to protect "su -" command.
I tried to change the /bin/su to chmod 600, deleted the "#" from "auth required /lib/security/$ISA/pam_wheel.so use_uid" of /etc/pam.d/su and add the myaccount to the "wheel:x:10:root,myaccount" of the /etc/group.

and then I login again myaccount, and try type "su -". It failed.
All general user cannot be use “su -” now!

How to give a right “su -” to the specific user?
 
Old 07-18-2004, 12:28 PM   #2
ranger_nemo
Senior Member
 
Registered: Feb 2003
Location: N'rn WI -- USA
Distribution: Kubuntu 8.04, ClarkConnect 4
Posts: 1,142

Rep: Reputation: 47
I'm not too sure about the group-stuff you are doing... Is su owned by root.wheel?

Anyway, if you want to let a group run su, you have to set the permissions to allow it... "chmod g+x su". 600 only allows the owner of su to run it.
 
Old 07-18-2004, 01:01 PM   #3
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
You turned the SETUID bit off on /bin/su when you chmod'ed it to 0600 -- su needs to be able to acquire superuser priviliges, hence the need. Just do 'chmod u+s /bin/su' to fix that (or 'chmod 4600 /bin/su' if you like numeric permissions). Another problem is with those permissions it's unexecutable by anyone but root, which kind of destroys the point if you want to be able to su to root. You should probably just set the permissions back to as they were and let the PAM stuff do its magic.
 
Old 07-18-2004, 09:30 PM   #4
treotan
Member
 
Registered: Jun 2004
Posts: 126

Original Poster
Rep: Reputation: 15
Thanks! But I want give some user have a right to change their right to superuser by su! How to do?

Did I make it correct?
1. Deleted the "#" from "auth required /lib/security/$ISA/pam_wheel.so use_uid" of /etc/pam.d/su
2. and add the myaccount to the "wheel:x:10:root,myaccount" of the /etc/group
 
Old 07-18-2004, 09:52 PM   #5
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
That looks correct to me. You;ll need to make sure that members of the wheel group can execute su too (i.e. you can change the group of /bin/su to wheel and make it group executable, but be sure to leave the SETUID bit on).
 
Old 07-18-2004, 09:54 PM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
You could always play with
/etc/sudoer
to achieve that :)


Cheers,
Tink
 
Old 07-18-2004, 10:22 PM   #7
treotan
Member
 
Registered: Jun 2004
Posts: 126

Original Poster
Rep: Reputation: 15
To Tinkster
How to use /etc/sudoer?

To Btmiller
Sorry I don't understand "but be sure to leave the SETUID bit on"?

Anyone can tell me the procedure, how to make a group can be use "su" command?
Is it I need to 'chmod u+s /bin/su' first?


Thks
 
Old 07-18-2004, 10:52 PM   #8
comp12345
Member
 
Registered: Feb 2004
Posts: 467

Rep: Reputation: 30
Quote:
Sorry I don't understand "but be sure to leave the SETUID bit on"?
su needs to run as root to function, hence the need for SETUID.

Quote:
Anyone can tell me the procedure, how to make a group can be use "su" command?
Code:
chmod 4750 /bin/su
You needed to enable rights for the group to run su and you needed to enable SETUID.

Last edited by comp12345; 07-18-2004 at 10:58 PM.
 
Old 07-18-2004, 11:24 PM   #9
treotan
Member
 
Registered: Jun 2004
Posts: 126

Original Poster
Rep: Reputation: 15
How to enable SETUID?

Thks
 
Old 07-19-2004, 04:52 AM   #10
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Have a look at the file, usually the pre-set's and
comments make it easy to understand.

There's also the man-page.

Basically sudoers allows you to define which users
are allowed to run which commands (including info
on which host, if required).


Cheers,
Tink
 
Old 07-19-2004, 05:13 AM   #11
treotan
Member
 
Registered: Jun 2004
Posts: 126

Original Poster
Rep: Reputation: 15
Done!
I made the su to "-rwsr-sr-x /bin/su", then it work!!

Thks
 
Old 07-19-2004, 05:25 AM   #12
muxman
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 203

Rep: Reputation: 32
A user having access to su should make much difference if they don't know any other users passwords. Su is of no use without that info really.
 
Old 07-19-2004, 09:56 PM   #13
treotan
Member
 
Registered: Jun 2004
Posts: 126

Original Poster
Rep: Reputation: 15
I know! if they don't know the pw, su command is not work! But I think this is a security issue.
 
Old 07-20-2004, 02:31 AM   #14
muxman
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 203

Rep: Reputation: 32
Quote:
Originally posted by treotan
I know! if they don't know the pw, su command is not work! But I think this is a security issue.
That's cool! I figured it out that you see a security issue there or you wouldn't be doing this! I'm just wondering what the issue is! That's why I mentioned that they need a password to make it work! Without the password su does not function! What is the issue!? Or are you just being safe!? I'm just not aware of su providing any backdoor type functionality with failed attempts to use it!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Password protect souvik Programming 3 11-06-2015 02:35 PM
Need to protect a directory wayloud *BSD 1 10-13-2004 05:02 PM
How Do You Protect Yourself? nuka_t Linux - Security 5 08-19-2004 12:35 AM
How do you protect your eyes? koyi General 33 08-13-2003 10:58 AM
How to protect my SQUID? yuzuohong Linux - Networking 1 05-30-2003 08:32 AM


All times are GMT -5. The time now is 08:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration