allow and deny su

ZAMO · 10-22-2007, 05:07 AM

Hi,

I need a security setting to do in my system. I have 3 users A, B and C.
I want A can be able to "su" to B and C.
But C and B are not allowed to "su" to anyone, even though they know the password of others.

How to setup this?

Thanks in Advance.

win32sux · 10-22-2007, 07:21 AM

Quote:

Originally Posted by ZAMO

I have 3 users A, B and C.
I want A can be able to "su" to B and C.
But C and B are not allowed to "su" to anyone, even though they know the password of others.

It can be done with these three steps:

1) Create a group called suok (for example) for users allowed to use su.

Code:

groupadd suok

2) Add user "userA" to the group you created.

Code:

usermod -a -G suok userA

3) Put a line like this in your /etc/pam.d/su file:

Code:

auth       required   pam_wheel.so   group=suok

Hangdog42 · 10-22-2007, 07:22 AM

I would think you could do this with permissions on the su command. Of course if B and C already know the passwords to others accounts, what's to stop them from simply logging in as someone else and bypass su altogether?

Ah, beaten to the punch by win32sux!

rjlee · 10-22-2007, 07:39 AM

It sounds like you want to have quite fine-grained control over what each user is able to do, in which case I would investigate using sudo. This will also help with logging who tried to do what to help track down any problems in future.

sudo will run commands for the user as root (or some other user), while requiring only that the user knows their own password. You can configure exactly which commands each user is allowed to execute, so you could enable su only for user A and not for users B and C.

The basic setup would be to deny execute access to every user for every program, except those listed in the sudoers file. You can't just disable individual programs, because the users could then install their own copy into their home directory and just use that.

There are a few tutorials on sudo out there, but running "man sudoers" seems to give more useful information than any I've seen.

If B and C know the passwords of other users, you need to think about how you are going to stop B and C from logging in to other accounts. You can do this by configuring PAM appropriately to look for other information (keycards, retina scanners, etc.) which may involve writing a PAM module or finding an appropriate one through the web.

I don't know much about PAM myself, but you can look into configuring it at http://www.kernel.org/pub/linux/libs...x-PAM_SAG.html

Hope that helps,

—Robert J Lee

ZAMO · 10-23-2007, 04:39 AM

Thank you very much for you ALL.
And special thanks to robert J Lee for providing a wonderful link to PAM documentation.

nomb · 10-23-2007, 07:32 AM

I guess he could take the login abilites off of those users.
That is a neat trick with pam. I'll have to read up on pam. I would have done it exactly the same way, but instead of using pam I would have 750'd the su binary and made it root:suok.

nomb