[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Disabling SU

Subject: Re: [cobalt-users] Disabling SU
From: shimi <shimi@xxxxxxxxxxxxxxxx>
Date: Sun Apr 22 21:44:37 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Mon, 23 Apr 2001, Raphael Foo wrote:

> Hi List,
> 
> I've been reading so much about security within this list that I''ve gotten
> rather paranoid. So now, I've disabled telnet in my RaQs and am ssh-ing into
> them instead. However, i realised that "su"s can cause problems and I'm now
> finding a way to disable it (su) from normal users. 
> 
> I know that users have to be in the "wheel" group for them su to root, but
> what if i want to totally disable su for these users ? (such that they
> cannot su to other users as well)
> 
> Can someone out there can brighten the way ?
> 
> Thanks!

Hmm.. yeah... I think :)
su, as far as I can tell, is a suid app in order to run a shell...

[shimi@www /bin]$ ls -l su
-rwsr-xr-x   1 root      root       13208 Apr 13  1999 su

so... as you can see, the "other" access is r-x, which means read+execute.

what you basically want is that only wheeled users could run this program,
right?

so I would do...

cd /bin
chgrp wheel su
chmod 750 su
chmod +s su

that would basically allow only to root and users in the wheel group to
run that program.

when you test it, have another root connection running so if something
goes wrong, you can do from there:

cd /bin
chgrp root su
chmod 755 su
chmod +s su


> 
> -Raphael Foo
> FailSafe Corporation.
> 

b. regards

- shimi

References:
- [cobalt-users] Disabling SU
  - From: Raphael Foo

Prev by Date: [cobalt-users] Two domains One VSite
Next by Date: Re: [cobalt-users] httpd running but no web except Cobalt GUI
Previous by thread: [cobalt-users] Disabling SU
Next by thread: Re: [cobalt-users] Disabling SU

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index