RE: [cobalt-users] Disabling SU

[Raphael Foo <raphael_foo@xxxxxxxxxxxxxxxx>]

Mucho Thanks to Shimi and Rudolfo and all others for the help. All works
well now! :D
-Raphael.

> -----Original Message-----
> From: shimi [mailto:shimi@xxxxxxxxxxxxxxxx]
> Sent: Monday, April 23, 2001 8:25 PM
> To: 'cobalt-users@xxxxxxxxxxxxxxx'
> Subject: Re: [cobalt-users] Disabling SU
> 
> 
> 
> On Mon, 23 Apr 2001, Raphael Foo wrote:
> 
> > Hi List,
> > 
> > I've been reading so much about security within this list 
> that I''ve gotten
> > rather paranoid. So now, I've disabled telnet in my RaQs 
> and am ssh-ing into
> > them instead. However, i realised that "su"s can cause 
> problems and I'm now
> > finding a way to disable it (su) from normal users. 
> > 
> > I know that users have to be in the "wheel" group for them 
> su to root, but
> > what if i want to totally disable su for these users ? 
> (such that they
> > cannot su to other users as well)
> > 
> > Can someone out there can brighten the way ?
> > 
> > Thanks!
> 
> Hmm.. yeah... I think :)
> su, as far as I can tell, is a suid app in order to run a shell...
> 
> [shimi@www /bin]$ ls -l su
> -rwsr-xr-x   1 root      root       13208 Apr 13  1999 su
> 
> so... as you can see, the "other" access is r-x, which means 
> read+execute.
> 
> what you basically want is that only wheeled users could run 
> this program,
> right?
> 
> so I would do...
> 
> cd /bin
> chgrp wheel su
> chmod 750 su
> chmod +s su
> 
> that would basically allow only to root and users in the 
> wheel group to
> run that program.
> 
> when you test it, have another root connection running so if something
> goes wrong, you can do from there:
> 
> cd /bin
> chgrp root su
> chmod 755 su
> chmod +s su
> 
> 
> > 
> > -Raphael Foo
> > FailSafe Corporation.
> > 
> 
> b. regards
> 
> - shimi
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>