Results 1 to 9 of 9
How can I restrict certain users from running certain commands such as su?...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 07-05-2005 #1
- Join Date
- Jun 2005
- 07-05-2005 #2
Unless a normal user knows the root password, they can't use a command like su. At least, it won't do anything. Even if they tried 'sudo', their normal user password wouldn't work unless the user was specifically added to the sudoers group.
Don't mean to sidestep your question, but do you have a better example of what commands you want to restrict?Registered Linux user #270181
TechieMoe's Tech Rants
- 07-05-2005 #3
you can make the executable for su (/bin/su) only available for people within a group, I think this is done already with the wheel group, if their a part of the wheel group they can access in, if otherwise, not.
I'll base my following example on /sbin/ifconfig. Firstly create a group (do all of the following as root)Code:
chgrp leet /sbin/ifconfigCode:
chmod 554 /sbin/ifconfigCode:
usermod -g leet john
- 07-05-2005 #4
I don't think a wheel group exists in Linux as it does in BSD (at least that I know of). But your steps here are actually a very good idea for hardening Linux a bit, for a multi-user system.
edit: Hmm, I take that back. The wheel group exists in /etc/group under SuSE. However, my account is not a member and can still su.
- 07-05-2005 #5
- Join Date
- Apr 2005
The wheel group also exists on Debian, Slackware, and I suppose on other distro's also, it is mentioned in the sudoers file, amongst others...** Registered Linux User # 393717 and proud of it ** Check out www.zenwalk.org
** Zenwalk 2.8 - Xfce 4.4 beta 2- 220.127.116.11 kernel = Slack on steroids! **
- 07-05-2005 #6
There is an option in /etc/login.defs called SU_WHEEL_ONLY which you can change to yes to have wheel access only, after that you need to add users to the root group of /etc/group in order for them to use su, anyone not in the group will be met with this messagebash-2.05b$ su
You are not authorized to su root
- 07-05-2005 #7
- 07-05-2005 #8There is an option in /etc/login.defs called SU_WHEEL_ONLY which you can change to yes to have wheel access only
- 07-06-2005 #9
Well, these excellent ideas got me exploring in SuSE. I found that adding the entry to /etc/profile.defs does not work correctly (in SuSE 9.2) - that or I implemented it incorrectly. But it seemed pretty straightforward.
One way that does work (in SuSE 9.2) is adding the entryCode:
auth required pam_wheel.so
Then of course any user you want to be able to su to root must be in the wheel group.