restricting who can use the su command
let me know if this is a good idea, or a better way.
the /bin/su program is owned by root.root has permissions -rws-r-x-r-x if i create a group called 'admin' with some unique group id, and make /bin/su owned by root.admin having permissions -rws-r-x--- will that work and not cause other problems? I remember reading something about a wheel group, but I had this thought and it seems so much simpler. |
'sudo' is the genarally accepted solution to the problem it sounds like you are trying to solve.
Changing permissions on critical system binaries usually ends badly. |
Quote:
https://wiki.debian.org/sudo |
The misery starts when the su binary gets an update, and the original attributes are restored.
|
thanks,
then it sounds like the best way is to use sudo along with pam and the wheel group, from what i've read it's edit /etc/pam.d/su and have auth required pam_wheel.so I see i have a system group names wheel is gid 10 so then it's just a matter of adding specific user accounts to the wheel group. will see how it goes. |
http://www.informit.com/articles/art...20968&seqNum=5
Quote:
|
Quote:
|
the [logic] problem i'm running into is requirements being flung out (quantity not quality) and if there is a potential way to offer any kind of perceived increase in security then do it....
i normally use just su and never sudo. the root password is strong and only known by those who are trusted and competent. for the less competent (and maybe less trusted) then that's where sudo comes in right? say give only those people rights to... do what really? back to su and perceived increase, the warm fuzzy is oh look we can also restrict who can use su and that's where the wheel group comes in enforced by PAM. that's where i'm at. |
All times are GMT -5. The time now is 10:46 PM. |