LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-22-2007, 05:07 AM   #1
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Rep: Reputation: 30
Thumbs up allow and deny su


Hi,

I need a security setting to do in my system. I have 3 users A, B and C.
I want A can be able to "su" to B and C.
But C and B are not allowed to "su" to anyone, even though they know the password of others.

How to setup this?

Thanks in Advance.
 
Old 10-22-2007, 07:21 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by ZAMO View Post
I have 3 users A, B and C.
I want A can be able to "su" to B and C.
But C and B are not allowed to "su" to anyone, even though they know the password of others.
It can be done with these three steps:

1) Create a group called suok (for example) for users allowed to use su.
Code:
groupadd suok
2) Add user "userA" to the group you created.
Code:
usermod -a -G suok userA
3) Put a line like this in your /etc/pam.d/su file:
Code:
auth       required   pam_wheel.so   group=suok
 
Old 10-22-2007, 07:22 AM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I would think you could do this with permissions on the su command. Of course if B and C already know the passwords to others accounts, what's to stop them from simply logging in as someone else and bypass su altogether?


Ah, beaten to the punch by win32sux!
 
Old 10-22-2007, 07:39 AM   #4
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,994

Rep: Reputation: 76
It sounds like you want to have quite fine-grained control over what each user is able to do, in which case I would investigate using sudo. This will also help with logging who tried to do what to help track down any problems in future.

sudo will run commands for the user as root (or some other user), while requiring only that the user knows their own password. You can configure exactly which commands each user is allowed to execute, so you could enable su only for user A and not for users B and C.

The basic setup would be to deny execute access to every user for every program, except those listed in the sudoers file. You can't just disable individual programs, because the users could then install their own copy into their home directory and just use that.

There are a few tutorials on sudo out there, but running "man sudoers" seems to give more useful information than any I've seen.

If B and C know the passwords of other users, you need to think about how you are going to stop B and C from logging in to other accounts. You can do this by configuring PAM appropriately to look for other information (keycards, retina scanners, etc.) which may involve writing a PAM module or finding an appropriate one through the web.

I don't know much about PAM myself, but you can look into configuring it at http://www.kernel.org/pub/linux/libs...x-PAM_SAG.html

Hope that helps,

—Robert J Lee
 
Old 10-23-2007, 04:39 AM   #5
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Original Poster
Rep: Reputation: 30
Thank you very much for you ALL.
And special thanks to robert J Lee for providing a wonderful link to PAM documentation.
 
Old 10-23-2007, 07:32 AM   #6
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
I guess he could take the login abilites off of those users.
That is a neat trick with pam. I'll have to read up on pam. I would have done it exactly the same way, but instead of using pam I would have 750'd the su binary and made it root:suok.

nomb
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables allow / deny ??!!?? skate Linux - Security 6 03-21-2007 03:42 AM
/etc/hosts.deny icedude Linux - Networking 3 01-12-2006 04:01 AM
never_direct deny all vs. always_direct deny all simplyrahul Linux - General 1 02-16-2005 02:42 PM
hosts.deny help/how-to jon_k Linux - Software 1 07-25-2003 10:17 PM
hosts.deny 98steve600 Linux - General 1 01-10-2001 07:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration