Restrict Commands.

**rub3x** · 07-05-2005

How can I restrict certain users from running certain commands such as su?

**techieMoe** · 07-05-2005

Unless a normal user knows the root password, they can't use a command like su. At least, it won't do anything. Even if they tried 'sudo', their normal user password wouldn't work unless the user was specifically added to the sudoers group.

Don't mean to sidestep your question, but do you have a better example of what commands you want to restrict?

**dylunio** · 07-05-2005

you can make the executable for su (/bin/su) only available for people within a group, I think this is done already with the wheel group, if their a part of the wheel group they can access in, if otherwise, not.

I'll base my following example on /sbin/ifconfig. Firstly create a group (do all of the following as root)

Code:

groupadd leet

this creates a group named leet. Next lets give /sbin/ifconfig this group with

Code:

chgrp leet /sbin/ifconfig

now set it so that the awner (root in this case) and group can execute it, but not anyone else.

Code:

chmod 554 /sbin/ifconfig

now if you want user john to have access to the command add him to the group

Code:

usermod -g leet john

I hope this helps.

**anomie** · 07-05-2005

dylunio,

I don't think a wheel group exists in Linux as it does in BSD (at least that I know of). But your steps here are actually a very good idea for hardening Linux a bit, for a multi-user system.

edit: Hmm, I take that back. The wheel group exists in /etc/group under SuSE. However, my account is not a member and can still su.

**borromini** · 07-05-2005

The wheel group also exists on Debian, Slackware, and I suppose on other distro's also, it is mentioned in the sudoers file, amongst others...

**Krendoshazin** · 07-05-2005

There is an option in /etc/login.defs called SU_WHEEL_ONLY which you can change to yes to have wheel access only, after that you need to add users to the root group of /etc/group in order for them to use su, anyone not in the group will be met with this message

bash-2.05b$ su
You are not authorized to su root

anyone in the root group will be able to use su as normal

**bigtomrodney** · 07-05-2005

I like this, inspires me to build more policy like groups for users. Could be fun...

**anomie** · 07-05-2005

There is an option in /etc/login.defs called SU_WHEEL_ONLY which you can change to yes to have wheel access only

Very good to know.

**anomie** · 07-06-2005

Well, these excellent ideas got me exploring in SuSE. I found that adding the entry to /etc/profile.defs does not work correctly (in SuSE 9.2) - that or I implemented it incorrectly. But it seemed pretty straightforward.

One way that does work (in SuSE 9.2) is adding the entry

Code:

auth     required       pam_wheel.so

to /etc/pam.d/su.

Then of course any user you want to be able to su to root must be in the wheel group.

Thread Tools

Display

Restrict Commands.

Posting Permissions