• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 258
  • Last Modified:

How do I stop user's from "su" into accounts even if they know the password in Solaris?

Is there a way to stop user's from accessing account's even if they know the password's? We have user's "su" all over the place.Is there a way to prevent this with sudo, rbac or something else? If not how can I make an existing account a RBAC for group access?
0
Sultaana43
Asked:
Sultaana43
  • 3
  • 3
3 Solutions
 
omarfaridCommented:
you can simply remove the execute / run priv from the command su
0
 
Sultaana43Author Commented:
Hi Omarfarid. Can you show me the steps? I have not worked with "SU." Thanks.
0
 
arober11Commented:
Taking it a step further:

You could change it's group, to one only specific bodies have access to, and then remove public execute access e.g.

/usr/sbin/groupadd -g 123   theGods
chgrp  theGods /usr/bin/su  /sbin/su.static
chmod a-x        /usr/bin/su   /sbin/su.static

You could also grant access via /etc/sudoer or an Solaris RBAC role.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
omarfaridCommented:
I think you could revoke the execute perm for others by running

chmod o=0 /usr/bin/su

I would not change the group ownership or priv. since it could impact system users
0
 
Sultaana43Author Commented:
Hi Guys. How do I change the gid back to root's? No one can su to root.

ls -l /usr/bin/su
-rwxr-x---   1 root     testgrp    25728 Feb 12  2009 /usr/bin/su
0
 
omarfaridCommented:
use

chgrp root /usr/bin/su
0
 
Sultaana43Author Commented:
Thanks so much!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now