-   Linux - Security (
-   -   How do I make it so users have to be in the wheel group to su to root? (

abefroman 05-01-2005 09:34 AM

How do I make it so users have to be in the wheel group to su to root?
How do I make it so users have to be in the wheel group to su to root?

I am running linux with openssh, I didnt see a place to set that in:

masand 05-01-2005 10:26 AM

i am not sure for this but u need to remve the setuid permission for su like this

chmod -s /bin/su
and then use
to give rights to some specific group


btmiller 05-01-2005 12:10 PM

Well, if you remove the setuid bit from su, nobody will be able to su to root (after all, programs can't magically jump privilege levels). The correct way to do it (in most cases) is to edit the /etc/pam.d/su file. You can add a line like:

auth required /lib/security/$ISA/ use_uid

to require users to be in the wheel group to su. In fact, most distributions have this line in place, but commented out.

If you're on a distro like Slackware that doesn't use PAM by default (one of the few things that really annoys me about Slack BTW), just make /bin/su owned by root:wheel with permissions 4750 so that no one not in group wheel can execute it.

masand 05-01-2005 12:31 PM

well i may not be correct

but i tried this and it seem to work

chmod -s /bin/su
chgrp gaurav /bin/su
chmod 0774 /bin/su

this is present permission

-rwxrwxr-- 1 root gaurav 35780 2004-06-22 00:50 /bin/su*

so only users

and from the group

are allowed to run su


btmiller 05-01-2005 03:00 PM

Right, you're correct that configuration will only allow users in group gaurav to run su (sorry if I was unclear on that), but because su doesn't have the setuid bit, it won't be able to execute the setuid system call to change the UID to 0. You can try this yourself.

masand 05-01-2005 03:07 PM

but if that setuid bit is set then anyone can run "su"

isn't it??

btmiller 05-02-2005 12:44 AM

No, the setuid bit only means that the binary should execute with the uid of the owner of the binary, not with the user running the program. For example, /bin/passwd has to run setuid to root since non-root users can't edit /etc/passwd and /etc/shadow. The setuid bit doesn't affect who can run the program, only what prvileges it runs with.

masand 05-02-2005 01:02 AM

yes i meant to say that only
that anyone can execute a program which has setuid bit set since that wil execute the program with the permision of the owner


All times are GMT -5. The time now is 09:18 AM.