Re: [cobalt-users] Disabling SU

["Rodolfo J. Paiz" <rpaiz@xxxxxxxxxxxxxx>]

At 4/23/01 02:23 PM +0800, you wrote:
> I've been reading so much about security within this list that I''ve gotten
> rather paranoid.

Good. <satisfied smile>

> So now, I've disabled telnet in my RaQs and am ssh-ing into
> them instead.

Better!

> However, i realised that "su"s can cause problems and I'm now
> finding a way to disable it (su) from normal users.

The first question that comes to mind is, how many of your users have shell 
access? If none have it (which is IMHO the way to run a railroad) then I 
don't *think* su has a big risk.

> I know that users have to be in the "wheel" group for them su to root, but
> what if i want to totally disable su for these users ? (such that they
> cannot su to other users as well)

Never thought about this, but perhaps change the permissions so that only 
root can run it? In my beloved "Securing and Optimizing Linux: RedHat 
Edition" (http://www.openna.com/book/book.html I think,  and ISBN 
#0-9700330-0-1) there's a bit on su. Also, somewhere out there I found 
instructions on modifying the permissions of su... I think I posted them to 
this list, but am not sure. Either it was here or it was one of the RedHat 
lists but I just don't know anymore. (Hopefully Google does... less than 
two months ago was the date.)


--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx