Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
let me know if this is a good idea, or a better way.
the /bin/su program is owned by root.root
has permissions -rws-r-x-r-x
if i create a group called 'admin' with some unique group id,
and make /bin/su owned by root.admin
having permissions -rws-r-x---
will that work and not cause other problems?
I remember reading something about a wheel group,
but I had this thought and it seems so much simpler.
'sudo' is the genarally accepted solution to the problem it sounds like you are trying to solve.
Changing permissions on critical system binaries usually ends badly.
Last edited by descendant_command; 10-05-2015 at 12:03 AM.
thanks,
then it sounds like the best way is to use sudo along with pam and the wheel group,
from what i've read it's
edit /etc/pam.d/su and have
auth required pam_wheel.so
I see i have a system group names wheel is gid 10 so then it's just a matter of adding specific user accounts to the wheel group.
will see how it goes.
If you want to implement wheel and protect su against access from non-wheel members, you should also take another step: Change ownership of the su binary to the wheel group and remove public execute permissions, as follows:
thanks,
then it sounds like the best way is to use sudo along with pam and the wheel group,
from what i've read it's
edit /etc/pam.d/su and have
auth required pam_wheel.so
I see i have a system group names wheel is gid 10 so then it's just a matter of adding specific user accounts to the wheel group.
will see how it goes.
It looks like you are mixing up su and sudo. You set up sudoers in /etc/sudoers, no need to use wheel group, sudo gives you fine grained control over who can do what. Adding user to wheel group is effectively giving root rights.
the [logic] problem i'm running into is requirements being flung out (quantity not quality) and if there is a potential way to offer any kind of perceived increase in security then do it....
i normally use just su and never sudo. the root password is strong and only known by those who are trusted and competent.
for the less competent (and maybe less trusted) then that's where sudo comes in right? say give only those people rights to... do what really?
back to su and perceived increase, the warm fuzzy is oh look we can also restrict who can use su and that's where the wheel group comes in enforced by PAM. that's where i'm at.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
