linux_learner Posted December 12, 2004 Report Share Posted December 12, 2004 it dpends on how restrictive you want it. telling me you dont want them to su, doesnt tell much. you can do that by taking it out of the bash profile, but then if they know the absolute path, they'll be able to bypass it. the su, is one you may not (and is not advisable) be able to get rid of. the best course of action is to take it out of your bash profile. by changing permissions on su, which is a file, you risk not being able to access it at all. you could chown it, but then that has its own problems. generally you dont mess with su, except by taking it out of the bash profile. since you can have the password on the root account expire after a set amount of time, and since the password is shaddowed, only someone who knows the root password can gain su/root priveledges. Quote Link to comment Share on other sites More sharing options...
Albus Posted December 12, 2004 Author Report Share Posted December 12, 2004 More specific then: When you install Mandrake, assuming you choose "Higher" as the security level, when you are faced with the "regular user" creation part of the setup program, there are additional options listed under the main items. These items are checkboxes and for each enabled, the user gains execute rights for that item. One such item is the "su" command. Left unchecked, the user would see "command not found" if they typed "su" at the shell. The Question: When you check that box, what files/settings does Mandrake change? Quote Link to comment Share on other sites More sharing options...
linux_learner Posted December 12, 2004 Report Share Posted December 12, 2004 i havent used mandrake in over a year. i couldnt tell you exactly. you can however, experiment with this on your own, and then poke arround and see what changed. btw, i use suse. Quote Link to comment Share on other sites More sharing options...
Albus Posted December 12, 2004 Author Report Share Posted December 12, 2004 I found the answer locate at the following link: http://hills.ccsf.cc.ca.us/~ckan04/project.shtml The snippet in question reads: Therefore we should limit the people allowed to "su" to the root account by editing the "su" file (/etc/pam.d/su) with the following two lines to the top of the file: auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=wheel This means only those belongs to the "wheel" group can "su" to root. You may add users to this group so that they may use the "su" command. To make it more secure, you may restrict root to login on specific TTY devices. The following command is to add user to the "wheel" group : #usermod -G10 admin (This means to add "admin" to the wheel group ("10" is the numeric user id of "wheel") and "admin" is the user that belongs to a supplementary group "G".) Conclusion: The same practice can be used to limit access to a variety of other system utilities. Thanks for your patience linux_learner. I hope this information aides others in setting up thier systems more securely. The entire linked page is worth reading. It both explains things and gives exampels. :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.