Re: Block remote 'su'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On December 15, 2003 11:49 am, Gabby James wrote:
> I want to block all remote users from being able to switch to the root
> user. For example, if a user connects via ssh as a user named 'john', I do
> not want them to be able to do a 'su -' command to become root.  I only
> want users that are actually sitting at the terminal to be able to switch
> to the root user.  Could anyone give me some ideas on how to accomplish
> this?
>
> Thanks!
> GJ

Hi,
there are probably a few ways to do this, PAM and/or /etc/security would be 
the best places to start.
You may have a script (su wrapper?) check for the terminal type of the user. 
Look at the output of "w". If a user is at the console (not a gui) they show 
as logged in on TTYx, but if they are remote or in a gui terminal, they show 
as a pts. Here is root & a user each with console logins, plus a remote 
loggin (last entery) and a bunch of local gui terminals:

[pete@nebula pete]$ w
  6:43pm  up 19 days, 23:18, 15 users,  load average: 0.04, 0.05, 0.02
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
root     tty1     -                 6:06pm 36:15   0.06s  0.06s  -bash
pete     tty2     -                 6:42pm  9.00s  0.05s  0.05s  -bash
pete     :0       -                29Nov03   ?     0.00s   ?     -
pete     pts/0    -                29Nov03 15days  0.00s   ?     -
pete     pts/1    -                29Nov03 16:35   5.96s  5.78s  -bash
pete     pts/2    -                30Nov03  1.00s  1.23s  0.22s  ssh 
192.168.1.27
pete     pts/5    -                30Nov03 52:05   1:16   1:16   mpg123 
pete     pts/3    -                30Nov03 21:23m  0.11s  0.11s  /bin/bash
pete     pts/4    -                30Nov03 52:00   0.44s  0.35s  aumix
pete     pts/7    -                 6:29pm  4:00   0.23s  0.23s  /bin/bash
pete     pts/6    tvbox.nesbitt.so  6:39pm  1.00s  0.03s  0.02s  w

You have two targets the TTY type or the FROM.
That should get you looking in the right direction anyway.

One thing you may need to watch out for is the effect on any scripts that may 
need to su to a different user, so your solution should only restrict su'ing 
to root.

Depending on what you are after, sudo may be part of the solution, and do not 
allow su to root at all.

-- 
Pete Nesbitt, rhce


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux