Find the answer to your Linux question:
Results 1 to 9 of 9
How can I restrict certain users from running certain commands such as su?...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2005
    Location
    127.0.0.1
    Posts
    29

    Restrict Commands.


    How can I restrict certain users from running certain commands such as su?

  2. #2
    Linux Guru techieMoe's Avatar
    Join Date
    Aug 2004
    Location
    Texas
    Posts
    9,496
    Unless a normal user knows the root password, they can't use a command like su. At least, it won't do anything. Even if they tried 'sudo', their normal user password wouldn't work unless the user was specifically added to the sudoers group.

    Don't mean to sidestep your question, but do you have a better example of what commands you want to restrict?
    Registered Linux user #270181
    TechieMoe's Tech Rants

  3. #3
    Linux Guru dylunio's Avatar
    Join Date
    Aug 2004
    Location
    Cymru
    Posts
    4,157
    you can make the executable for su (/bin/su) only available for people within a group, I think this is done already with the wheel group, if their a part of the wheel group they can access in, if otherwise, not.

    I'll base my following example on /sbin/ifconfig. Firstly create a group (do all of the following as root)
    Code:
    groupadd leet
    this creates a group named leet. Next lets give /sbin/ifconfig this group with
    Code:
    chgrp leet /sbin/ifconfig
    now set it so that the awner (root in this case) and group can execute it, but not anyone else.
    Code:
    chmod 554 /sbin/ifconfig
    now if you want user john to have access to the command add him to the group
    Code:
    usermod -g leet john
    I hope this helps.
    Registered Linux User #371543!
    Get force-get May The Source Be With You
    /dev/null
    /dev/null2

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    dylunio,

    I don't think a wheel group exists in Linux as it does in BSD (at least that I know of). But your steps here are actually a very good idea for hardening Linux a bit, for a multi-user system.

    edit: Hmm, I take that back. The wheel group exists in /etc/group under SuSE. However, my account is not a member and can still su.

  5. #5
    Linux Engineer
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    1,429
    The wheel group also exists on Debian, Slackware, and I suppose on other distro's also, it is mentioned in the sudoers file, amongst others...
    ** Registered Linux User # 393717 and proud of it ** Check out www.zenwalk.org
    ** Zenwalk 2.8 - Xfce 4.4 beta 2- 2.6.17.6 kernel = Slack on steroids! **

  6. #6
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    There is an option in /etc/login.defs called SU_WHEEL_ONLY which you can change to yes to have wheel access only, after that you need to add users to the root group of /etc/group in order for them to use su, anyone not in the group will be met with this message
    bash-2.05b$ su
    You are not authorized to su root
    anyone in the root group will be able to use su as normal

  7. #7
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,126
    I like this, inspires me to build more policy like groups for users. Could be fun...

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    There is an option in /etc/login.defs called SU_WHEEL_ONLY which you can change to yes to have wheel access only
    Very good to know.

  9. #9
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Well, these excellent ideas got me exploring in SuSE. I found that adding the entry to /etc/profile.defs does not work correctly (in SuSE 9.2) - that or I implemented it incorrectly. But it seemed pretty straightforward.

    One way that does work (in SuSE 9.2) is adding the entry
    Code:
    auth     required       pam_wheel.so
    to /etc/pam.d/su.

    Then of course any user you want to be able to su to root must be in the wheel group.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •