SUMMARY: limit su access to some users

From: Robin Sinclair (sin@weusc.es)
Date: Tue Nov 26 1996 - 03:22:03 CST


Dear sun-mgrs

Many thanks once again for many replies to my question:

=> Does anyone know if there exists on Solaris 2.4 a way to limit which users
=> can access root via 'su' ? I would like only 2-3 people to be able to use
=> 'su -' to access to root.
=>
=> On SunOS 4.1.3 there was the 'wheel' group, whose members were the only peopl
=> who could su to root. Anyone else who tried 'su -' received the message
=> You do not have permission to su to root
=> or suchlike.
=> However on Solaris 2.4 this mechanism doesn't seem to exist any more..
=>

Thanks to :
        sjenkins@iastate.edu
        bbyoung@amoco.com
        dave@chadwyck.co.uk
        bergman@phri.nyu.edu
        rich@loopexpert.com
        david@cs.newcastle.edu.au
        beckman@bofh.fleet.capital.ge.com
        fpardo@tisny.com
        sagray@amp.com
        joe@ns.hunter1.com

The suggestions were basically the following:

1. If your users don't use su to become other (non-root) users, then
you can:
        add the trusted users to group "wheel" in /etc/group
        chmod 4550 /bin/su /sbin/su
This has the disadvantage that normal users can't use su to become other users
than root. I would like to keep this possibility.

2. Use the sysadmin group
Unfortunately this doesn't affect su access as far as I can tell, only enables
use of admintool by non-root users.

3. Try sudo.
This is the best solution, especially using the 'ALL' keyword (with care!)
to give certain trusted users full access to root.

Many thanks

Robin
WEUSC sysadmin



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:16 CDT