LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-04-2007, 11:13 AM   #1
mariusek
LQ Newbie
 
Registered: Jan 2007
Posts: 8

Rep: Reputation: 0
Su command - only one user


How to configure su command, that only one user can use it and without giving the password ?
 
Old 05-04-2007, 11:39 AM   #2
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 5,959

Rep: Reputation: Disabled
Never heard su could be used without password. Tell us what you need to do. I'm sure there is another solution.
 
Old 05-04-2007, 11:51 AM   #3
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,887

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
Sounds like you need to set up sudo. The file /etc/sudoers names the user who may use the sudo command, and it names the commands that user may use.

The named user can then run the commands listed for him in the sudoers file, without password.
 
Old 05-04-2007, 12:00 PM   #4
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 5,959

Rep: Reputation: Disabled
Another way may be setting SUID bit. Which solution is best depends on what you need to do.
 
Old 05-04-2007, 09:52 PM   #5
yawe_frek
Member
 
Registered: Sep 2005
Distribution: feather 0.72-usb, DSL,CentOS,Ubuntu, Redhat 9
Posts: 144

Rep: Reputation: 15
i will like to follow up this post that is why i am writing
 
Old 05-05-2007, 02:48 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
nothing to do with networking, moved to Linux - Newbie. and yaawe_freak, please don't do that. just select "subscribe to this thread" nest time please.
 
Old 05-05-2007, 02:50 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
also yes totally possible, but very very dumb and dangerous. http://www.phptr.com/articles/articl...seqNum=11&rl=1 if you really want a scenario as insecure and ill-advised as this, sudo would still be a better approach to take.
 
Old 05-05-2007, 03:46 AM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
The sudoers file is well commented. There is an example allowing users to mount the cdrom device as root without a password.

For mounting and unmounting filesystems, use the "users" or "user" option. The mount command is an SUID program. However, it only allows a regular user to mount a filesystem if the "user" or "users" option is used.
For removable devices such as pendrives, use the label or uuid instead of the device.

For other commands in sudoers, be very explicit with the command allowed. Include the full pathname to the command.

You can configure sudo so that members of a certain group can use it after entering their own password. This way, you don't have to distribute the root password, but a third party who has physical access to a group members computer won't be able to run a command as root without knowing the users password.

You can also forbid certain commands such as "sudo /bin/bash" which would give the user unrestricted and unlogged root access. Also be careful with commands like vim which have shell escapes. Only allow rvim which starts vim in the restricted mode; it won't be possible to execute commands or suspend rvim.
 
Old 05-05-2007, 04:22 AM   #9
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Quote:
Originally Posted by Emerson
Another way may be setting SUID bit. Which solution is best depends on what you need to do.
This is dangerous because any user will be able to run the command as root. Not just members of a certain group.

Some commands are already SUID programs, and take measures to prevent abuse. For example, the passwd and mount commands. The passwd command is SUID to allow regular users to change their own passwords, which requires write access to /etc/passwd. An entry in /etc/fstab with the "user" or "users" option will allow the owner or any user respectively to mount the filesystem.* The /etc/fstab then becomes the controlling mechanism for the suid mount program. Only go the SUID route if the command is already suid for a good reason and limits what is done as root (or a system user). Programs like mount and password are written with safeguards built in. Setting the suid bit on a program not designed with it's own controlling mechanisms is a very bad idea and shouldn't be done.


For other commands, you can add entries in /etc/sudoers (via the visudo program) to allow group members or regular users to run certain commands as root. You need to be explicit with the command. For example, include the path to the command and any arguments you require. The CDROM mounting commented sample is one example.

If you want to allow some members, such as %admin members to use sudo on any command, but want everything logged, you can forbid certain commands, such as "sudo /bin/bash". Also, some commands have shell escapes. Forbid them but allow safer alternatives. For example using vim is essential for administrative work but you can allow rvim instead. Rvim doesn't allow executing commands or suspending.

Also, consider configuring sudo to use the users password instead of the root password. That way you don't need to distribute the root password, but are protected from a 3rd party gaining physical access to an open console. You need to enforce strong passwords then, so that an %admin member doesn't have an easy to guess password.
----
* For removable devices, I would recommend using the label or uuid instead of the device in the fstab line for that device. The "user" option combined with the "UUID=" entry will allow a normal user to mount the device regardless of which port was used, provided he is the owner of the filesystem (same uid) or for fat32 drives is listed in the "uid=UID/username" mount option.

Last edited by jschiwal; 05-05-2007 at 04:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
run a command as another user!! mike81 Linux - Newbie 7 08-02-2006 12:58 PM
Using kismet with [user# su] command harryhoudini Linux - Newbie 2 07-01-2006 04:33 AM
user can use command.. bruse Mandriva 2 04-12-2005 07:21 AM
what is the command to make a user change their password after creating a new user? naweenio Linux - Newbie 7 01-05-2005 07:07 AM
Some command not working in user using SU.. intercodes Linux - Newbie 4 12-10-2004 08:05 AM


All times are GMT -5. The time now is 06:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration