LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-01-2005, 09:34 AM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Rep: Reputation: 53
How do I make it so users have to be in the wheel group to su to root?


How do I make it so users have to be in the wheel group to su to root?

I am running linux with openssh, I didnt see a place to set that in:
/etc/ssh/sshd_config
 
Old 05-01-2005, 10:26 AM   #2
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
i am not sure for this but u need to remve the setuid permission for su like this

chmod -s /bin/su
and then use
chgrp
to give rights to some specific group

regards
 
Old 05-01-2005, 12:10 PM   #3
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,092

Rep: Reputation: 299Reputation: 299Reputation: 299
Well, if you remove the setuid bit from su, nobody will be able to su to root (after all, programs can't magically jump privilege levels). The correct way to do it (in most cases) is to edit the /etc/pam.d/su file. You can add a line like:

auth required /lib/security/$ISA/pam_wheel.so use_uid

to require users to be in the wheel group to su. In fact, most distributions have this line in place, but commented out.

If you're on a distro like Slackware that doesn't use PAM by default (one of the few things that really annoys me about Slack BTW), just make /bin/su owned by root:wheel with permissions 4750 so that no one not in group wheel can execute it.
 
Old 05-01-2005, 12:31 PM   #4
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
well i may not be correct

but i tried this and it seem to work

chmod -s /bin/su
chgrp gaurav /bin/su
chmod 0774 /bin/su

this is present permission

-rwxrwxr-- 1 root gaurav 35780 2004-06-22 00:50 /bin/su*


so only users
root

and from the group
gaurav

are allowed to run su

regards

Last edited by masand; 05-01-2005 at 12:33 PM.
 
Old 05-01-2005, 03:00 PM   #5
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,092

Rep: Reputation: 299Reputation: 299Reputation: 299
Right, you're correct that configuration will only allow users in group gaurav to run su (sorry if I was unclear on that), but because su doesn't have the setuid bit, it won't be able to execute the setuid system call to change the UID to 0. You can try this yourself.
 
Old 05-01-2005, 03:07 PM   #6
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
but if that setuid bit is set then anyone can run "su"

isn't it??
 
Old 05-02-2005, 12:44 AM   #7
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,092

Rep: Reputation: 299Reputation: 299Reputation: 299
No, the setuid bit only means that the binary should execute with the uid of the owner of the binary, not with the user running the program. For example, /bin/passwd has to run setuid to root since non-root users can't edit /etc/passwd and /etc/shadow. The setuid bit doesn't affect who can run the program, only what prvileges it runs with.
 
Old 05-02-2005, 01:02 AM   #8
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
yes i meant to say that only
that anyone can execute a program which has setuid bit set since that wil execute the program with the permision of the owner

regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to make a specific command(s) work for specific users or group only naren_0101bits Linux - General 3 08-28-2005 05:22 PM
how do i add myself to the wheel group matneyc Linux - Software 4 01-09-2005 11:00 PM
Users can't log in unless part of the root group jeffreybluml Linux - Newbie 3 12-02-2004 07:24 PM
limiting su root with wheel group? kj6loh Linux - General 17 09-02-2004 08:45 AM
Group Admin, Group Root, or God over Group crickett Linux - General 5 07-12-2004 04:01 PM


All times are GMT -5. The time now is 02:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration