How do I stop user's from "su" into accounts even if they know the password in Solaris?

Is there a way to stop user's from accessing account's even if they know the password's? We have user's "su" all over the place.Is there a way to prevent this with sudo, rbac or something else? If not how can I make an existing account a RBAC for group access?
Who is Participating?
omarfaridConnect With a Mentor Commented:
you can simply remove the execute / run priv from the command su
Sultaana43Author Commented:
Hi Omarfarid. Can you show me the steps? I have not worked with "SU." Thanks.
arober11Connect With a Mentor Commented:
Taking it a step further:

You could change it's group, to one only specific bodies have access to, and then remove public execute access e.g.

/usr/sbin/groupadd -g 123   theGods
chgrp  theGods /usr/bin/su  /sbin/su.static
chmod a-x        /usr/bin/su   /sbin/su.static

You could also grant access via /etc/sudoer or an Solaris RBAC role.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

omarfaridConnect With a Mentor Commented:
I think you could revoke the execute perm for others by running

chmod o=0 /usr/bin/su

I would not change the group ownership or priv. since it could impact system users
Sultaana43Author Commented:
Hi Guys. How do I change the gid back to root's? No one can su to root.

ls -l /usr/bin/su
-rwxr-x---   1 root     testgrp    25728 Feb 12  2009 /usr/bin/su

chgrp root /usr/bin/su
Sultaana43Author Commented:
Thanks so much!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.