-   Linux - Security (
-   -   Su permissions (User A can su to User B, but not User C) (

Whir47 01-20-2009 09:21 AM

Su permissions (User A can su to User B, but not User C)
Is there a way to set something like this up:

Users: Group:
Group1 Group1
Mark Group1
Tom Group1
Group2 Group2
Joe Group2

Mark, Tom and Joe can SSH into the box, ITS and Group2 cannot.

Mark and Tom can SU to Policy, but not ITS
Joe can SU to ITS, but not Policy

To explain the constraints, I'm trying to set suexec up in a group development environment. Since suexec requires that permissions on a file to serve must be no more then 755 and I don't want to distribute shared group user accounts (For two reasons: the obvious insecurities with having multiple people using a single account and that all the individual users are already in place).

Ideally, I would like for Mark, Tom and Joe to each be able to SSH in to the server. Once they have logged in, a script is executed that calls su - Group1/Group2 and they then are able to edit their files.

Thanks in advance. :)

eco 01-21-2009 03:56 AM

I find your post a little unclear but let me see if I got it right.

- You want only certain users to login to your system?

You can control that through ssh. In sshd_config add:
AllowUsers Mark Tom Joe

- You want them to have access to the same directory to work on files?
Why not setup groups and grant permissions to the folders.

You chould even set the permissions to make sure the group is set when you create a file by using chmod 02770.


# mkdir test
# chown root:staff test
# chmod 02770 test
# touch test/file
# ls -ld test/file
-rw-r--r-- 1 root staff 0 2009-01-20 18:50 test/file

If you want to use sudo, I guess you can create groups with different rights.

If I got it all wrong, sorry ;)

All times are GMT -5. The time now is 11:39 AM.