LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   protect su command (https://www.linuxquestions.org/questions/linux-newbie-8/protect-su-command-206572/)

treotan 07-18-2004 10:56 AM

protect su command
 
How to protect "su -" command.
I tried to change the /bin/su to chmod 600, deleted the "#" from "auth required /lib/security/$ISA/pam_wheel.so use_uid" of /etc/pam.d/su and add the myaccount to the "wheel:x:10:root,myaccount" of the /etc/group.

and then I login again myaccount, and try type "su -". It failed.
All general user cannot be use “su -” now!

How to give a right “su -” to the specific user?

ranger_nemo 07-18-2004 11:28 AM

I'm not too sure about the group-stuff you are doing... Is su owned by root.wheel?

Anyway, if you want to let a group run su, you have to set the permissions to allow it... "chmod g+x su". 600 only allows the owner of su to run it.

btmiller 07-18-2004 12:01 PM

You turned the SETUID bit off on /bin/su when you chmod'ed it to 0600 -- su needs to be able to acquire superuser priviliges, hence the need. Just do 'chmod u+s /bin/su' to fix that (or 'chmod 4600 /bin/su' if you like numeric permissions). Another problem is with those permissions it's unexecutable by anyone but root, which kind of destroys the point if you want to be able to su to root. You should probably just set the permissions back to as they were and let the PAM stuff do its magic.

treotan 07-18-2004 08:30 PM

Thanks! But I want give some user have a right to change their right to superuser by su! How to do?

Did I make it correct?
1. Deleted the "#" from "auth required /lib/security/$ISA/pam_wheel.so use_uid" of /etc/pam.d/su
2. and add the myaccount to the "wheel:x:10:root,myaccount" of the /etc/group

btmiller 07-18-2004 08:52 PM

That looks correct to me. You;ll need to make sure that members of the wheel group can execute su too (i.e. you can change the group of /bin/su to wheel and make it group executable, but be sure to leave the SETUID bit on).

Tinkster 07-18-2004 08:54 PM

You could always play with
/etc/sudoer
to achieve that :)


Cheers,
Tink

treotan 07-18-2004 09:22 PM

To Tinkster
How to use /etc/sudoer?

To Btmiller
Sorry I don't understand "but be sure to leave the SETUID bit on"?

Anyone can tell me the procedure, how to make a group can be use "su" command?
Is it I need to 'chmod u+s /bin/su' first?


Thks

comp12345 07-18-2004 09:52 PM

Quote:

Sorry I don't understand "but be sure to leave the SETUID bit on"?
su needs to run as root to function, hence the need for SETUID.

Quote:

Anyone can tell me the procedure, how to make a group can be use "su" command?
Code:

chmod 4750 /bin/su
You needed to enable rights for the group to run su and you needed to enable SETUID.

treotan 07-18-2004 10:24 PM

How to enable SETUID?

Thks

Tinkster 07-19-2004 03:52 AM

Have a look at the file, usually the pre-set's and
comments make it easy to understand.

There's also the man-page.

Basically sudoers allows you to define which users
are allowed to run which commands (including info
on which host, if required).


Cheers,
Tink

treotan 07-19-2004 04:13 AM

Done!
I made the su to "-rwsr-sr-x /bin/su", then it work!!

Thks

muxman 07-19-2004 04:25 AM

A user having access to su should make much difference if they don't know any other users passwords. Su is of no use without that info really.

treotan 07-19-2004 08:56 PM

I know! if they don't know the pw, su command is not work! But I think this is a security issue.

muxman 07-20-2004 01:31 AM

Quote:

Originally posted by treotan
I know! if they don't know the pw, su command is not work! But I think this is a security issue.
That's cool! I figured it out that you see a security issue there or you wouldn't be doing this! I'm just wondering what the issue is! That's why I mentioned that they need a password to make it work! Without the password su does not function! What is the issue!? Or are you just being safe!? I'm just not aware of su providing any backdoor type functionality with failed attempts to use it!


All times are GMT -5. The time now is 10:52 AM.