protect su command
How to protect "su -" command.
I tried to change the /bin/su to chmod 600, deleted the "#" from "auth required /lib/security/$ISA/pam_wheel.so use_uid" of /etc/pam.d/su and add the myaccount to the "wheel:x:10:root,myaccount" of the /etc/group. and then I login again myaccount, and try type "su -". It failed. All general user cannot be use “su -” now! How to give a right “su -” to the specific user? |
I'm not too sure about the group-stuff you are doing... Is su owned by root.wheel?
Anyway, if you want to let a group run su, you have to set the permissions to allow it... "chmod g+x su". 600 only allows the owner of su to run it. |
You turned the SETUID bit off on /bin/su when you chmod'ed it to 0600 -- su needs to be able to acquire superuser priviliges, hence the need. Just do 'chmod u+s /bin/su' to fix that (or 'chmod 4600 /bin/su' if you like numeric permissions). Another problem is with those permissions it's unexecutable by anyone but root, which kind of destroys the point if you want to be able to su to root. You should probably just set the permissions back to as they were and let the PAM stuff do its magic.
|
Thanks! But I want give some user have a right to change their right to superuser by su! How to do?
Did I make it correct? 1. Deleted the "#" from "auth required /lib/security/$ISA/pam_wheel.so use_uid" of /etc/pam.d/su 2. and add the myaccount to the "wheel:x:10:root,myaccount" of the /etc/group |
That looks correct to me. You;ll need to make sure that members of the wheel group can execute su too (i.e. you can change the group of /bin/su to wheel and make it group executable, but be sure to leave the SETUID bit on).
|
You could always play with
/etc/sudoer to achieve that :) Cheers, Tink |
To Tinkster
How to use /etc/sudoer? To Btmiller Sorry I don't understand "but be sure to leave the SETUID bit on"? Anyone can tell me the procedure, how to make a group can be use "su" command? Is it I need to 'chmod u+s /bin/su' first? Thks |
Quote:
Quote:
Code:
chmod 4750 /bin/su |
How to enable SETUID?
Thks |
Have a look at the file, usually the pre-set's and
comments make it easy to understand. There's also the man-page. Basically sudoers allows you to define which users are allowed to run which commands (including info on which host, if required). Cheers, Tink |
Done!
I made the su to "-rwsr-sr-x /bin/su", then it work!! Thks |
A user having access to su should make much difference if they don't know any other users passwords. Su is of no use without that info really.
|
I know! if they don't know the pw, su command is not work! But I think this is a security issue.
|
Quote:
|
All times are GMT -5. The time now is 10:52 AM. |