SUMMARY: stop users su'ing on their workstations

From: sun_question question <>
Date: Fri Sep 27 2002 - 12:01:04 EDT
Original Post:
>I have users on Solaris 2.6 NIS environment on Sparc20s.
>Users have root passwd for their workstations.
>They can become root on their workstation and su to whomever
>they want from NIS passwd file.
>How do I stop this without taking their root passwd away?

Thanx all for your replies.  Too many to list.  Majority of answers said 
"Can't be done without removing su" and "use sudo"
Below are a few different suggestions...last 2 replies pasted below still 
wouldn't stop users su'ing to someone else once they are root..I think

Only way I can think of is something like CA/eTrust/SeOS...
The obvious technical solution is to configure all your *other*
machines so that they don't trust the workstations in question.
That means no NFS exports (except read-only exports of non-sensitive
information), no hostbased authentication for ssh, no /etc/hosts.equiv
entries, etc.
It may also be possible to Kerberize your installation. One of the
merits of Kerberos is precisely that it authenticates users centrally,
and does *not* trust the (insecure) workstations to do this.
Use "powerbroker"
retrict the su command instead.  Change /usr/bin/su to mode 4750.
Change its group to a totally new group (I use group 15, which I have
named "sugroup").  In the /etc/group file, define that group and
explicitly list whom is allowed to use the su group.  (Be sure to
include root!).  So the only way they can become root is to log in
locally.  Since their NIS master is presumably in a data center that is
not physically accessible, that should keep em out.
Make up a group called "wheel" (name stolen from BSD...)
ypcat group | grep wheel
on all yourt clients:
#chmod 4550 /usr/bin/su /sbin/su.static
#chown root:wheel /usr/bin/su /sbin/su.static
Now, only users in group wheel can run "su"

Chat with friends online, try MSN Messenger:
sunmanagers mailing list
Received on Fri Sep 27 12:07:06 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:55 EST