Re: SU privileges

• Previous message: Darryl Ousterhout: "Re: switch from full-system partition to lpar"
• Maybe in reply to: David Zarnoch: "SU privileges"
• Next in thread: David Zarnoch: "Re: SU privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:         Thu, 24 Jun 2004 11:32:25 -0700
To: aix-l@Princeton.EDU

If you know a userid you want to limit the ability to su too (like root),
create a group (like suroot), add the users you want to allow to su to root,
and add the name of the group to the root's SU GROUPS user entry. Now only
those users in group suroot can su to root. You can use multiple groups this
way too. You still need to know the password too.

You can also limit the ability to SU to an account via the user entry
"Another user can SU TO USER?" set to false. This is all or nothing.

Another way would be to set an ACL on the su command. You can limit the
ability to use the command this way.

SUDO is an excellent tool too, but doesn't limit someone who knows a
password from SUing.

Kevin Adams

PacifiCare Behavioral Health
3120 Lake Center Drive
Mail Stop LC01-394
Santa Ana, CA 92704

Email: kevin.adams@phs.com
Work: 714-445-0343
Fax: 714-445-0475

-----Original Message-----
From: IBM AIX Discussion List [mailto:aix-l@Princeton.EDU] On Behalf Of
Jan-Frode Myklebust
Sent: Thursday, June 24, 2004 5:10 AM
To: aix-l@Princeton.EDU
Subject: Re: [aix-l] SU privileges

On Thu, Jun 24, 2004 at 06:49:06AM -0500, David Zarnoch wrote:
>
> How would I set up a group to allow SU privileges?

To limit that only specific users are allowed to use the 'su' command?
Then adding these users to group=security and changing the permissions
on /usr/bin/su should do the trick:

        % ls -ld /usr/bin/su
        -r-sr-xr-x 1 root security 18980 Apr 30 2003 /usr/bin/su
        % chmod 4550 /usr/bin/su
        -r-sr-x--- 1 root security 18980 Apr 30 2003 /usr/bin/su

> Could I create a group "rootprvl" or would I need to use "sudo"?

If you want to give a group of users the possibility to run 'su -
$username' without needing to know the password of $username, then I
think 'sudo' is the best solution.

  -jf

 (awaiting a flood of vacation messages from misconfigured vacation
  programs from the users on this list)

This electronic message transmission, including any attachments, contains information from PacifiCare Health Systems Inc. which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.
If you have received this electronic transmission in error, please notify the sender immediately by a "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.

• Previous message: Darryl Ousterhout: "Re: switch from full-system partition to lpar"
• Maybe in reply to: David Zarnoch: "SU privileges"
• Next in thread: David Zarnoch: "Re: SU privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]