LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   restricting who can use the su command (https://www.linuxquestions.org/questions/linux-security-4/restricting-who-can-use-the-su-command-4175555299/)

ron7000 10-04-2015 11:46 PM
restricting who can use the su command
 
let me know if this is a good idea, or a better way.

the /bin/su program is owned by root.root
has permissions -rws-r-x-r-x

if i create a group called 'admin' with some unique group id,
and make /bin/su owned by root.admin
having permissions -rws-r-x---
will that work and not cause other problems?

I remember reading something about a wheel group,
but I had this thought and it seems so much simpler.

descendant_command 10-05-2015 12:01 AM
'sudo' is the genarally accepted solution to the problem it sounds like you are trying to solve.
Changing permissions on critical system binaries usually ends badly.

HMW 10-05-2015 01:01 AM
Quote:
Originally Posted by descendant_command (Post 5429965)
Changing permissions on critical system binaries usually ends badly.
^Yes. Don't do that, it will end in misery. Use sudo instead. Simply add the users which you want to grant superuser privileges to the group sudo.

https://wiki.debian.org/sudo

MadeInGermany 10-05-2015 12:58 PM
The misery starts when the su binary gets an update, and the original attributes are restored.

ron7000 10-05-2015 09:23 PM
thanks,
then it sounds like the best way is to use sudo along with pam and the wheel group,
from what i've read it's
edit /etc/pam.d/su and have

auth required pam_wheel.so

I see i have a system group names wheel is gid 10 so then it's just a matter of adding specific user accounts to the wheel group.
will see how it goes.

ron7000 10-05-2015 09:33 PM
http://www.informit.com/articles/art...20968&seqNum=5

Quote:
If you want to implement wheel and protect su against access from non-wheel members, you should also take another step: Change ownership of the su binary to the wheel group and remove public execute permissions, as follows:

chown root.wheel /bin/su

chmod 4750 /bin/su
so now this guy is saying what i was thinking...

Emerson 10-05-2015 09:54 PM
Quote:
Originally Posted by ron7000 (Post 5430505)
thanks,
then it sounds like the best way is to use sudo along with pam and the wheel group,
from what i've read it's
edit /etc/pam.d/su and have

auth required pam_wheel.so

I see i have a system group names wheel is gid 10 so then it's just a matter of adding specific user accounts to the wheel group.
will see how it goes.
It looks like you are mixing up su and sudo. You set up sudoers in /etc/sudoers, no need to use wheel group, sudo gives you fine grained control over who can do what. Adding user to wheel group is effectively giving root rights.

ron7000 10-06-2015 12:52 PM
the [logic] problem i'm running into is requirements being flung out (quantity not quality) and if there is a potential way to offer any kind of perceived increase in security then do it....

i normally use just su and never sudo. the root password is strong and only known by those who are trusted and competent.
for the less competent (and maybe less trusted) then that's where sudo comes in right? say give only those people rights to... do what really?

back to su and perceived increase, the warm fuzzy is oh look we can also restrict who can use su and that's where the wheel group comes in enforced by PAM. that's where i'm at.


All times are GMT -5. The time now is 10:46 PM.