On Wed, 2007-11-14 at 12:03 -0800, James D. Parra wrote: > -----Original Message----- > From: Druid [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 14, 2007 11:57 AM > To: [email protected] > Subject: Re: [opensuse] limiting users who can use su > > > chown /bin/su binary so it can be only executed by people in a certain > group (by tradition, its usually called wheel group) > > Somewhere in this url it sasy how: > http://www.cromwell-intl.com/security/linux-hardening.html > > > On Nov 14, 2007 5:50 PM, James D. Parra <[EMAIL PROTECTED]> wrote: > > Hello, > > > > Is there a way to control which user accounts can use 'su' when using ssh? > I > > want only a couple of users to be able to change to root when using ssh. > ~~~~~~~ > > Perfect. Thank you. This is the kind of response I needed. > > For internal reasons, that I don't wish to go into here, there are uses who > get the root passwd from other users 'just becuase they needed to'. Again, I > don't want to go into details, however the above response will help be me > get around this problem. ~~~
>I see some contradictions to what you say here. In your original post, >you mentioned you did not want people to su from ssh. The solution >presented limits su whether via ssh or on the machine physically. >So if you're saying strictly limit su in an SSH situation, but allow in >a physical situation, you haven't resolved the problem. No contradiction, just added info. Users login via ssh. The subject line is the topic; that is, limiting users who can us 'su'. Just wanted to be brief in the post. >The other issue here is that internally, you have people giving out >root's password. Root constantly gets compromised when you do that. >When something went wrong because "root" did something, how do you know >which user actually played as "root"? A better solution would be to >create a user or set of users who is a member of the root group. I know all about the problems about who should and should not get the root password, but real world situations in corporations have their own corporate politics. What is supposed to happen and the way things actually occur do not always match best practices. My question and the answers received suggesting putting specific users in the 'wheel' group was what was helpful. If I can't change peoples' behavior, I can at least chmod the permissions for 'su'. >On the other hand, if you hand out root's password to everyone, and say >someone in the company has been fired, [....] Not everyone has the root password and that was not the question. However, I do appreciate your suggestions about using keys for ssh. Thank you, ~James To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
