Topic
  • 7 replies
  • Latest Post - ‏2013-05-19T08:08:30Z by biblio93
rathorehemant
rathorehemant
1 Post

Pinned topic How to stop su from root

‏2013-05-15T11:48:56Z | su

How can I restrict (by throwing a password) if he is logging my account from root user using su,

  • GarlandJoseph
    GarlandJoseph
    167 Posts

    Re: How to stop su from root

    ‏2013-05-15T15:25:49Z  

    You can't restrict root.

  • gcorneau
    gcorneau
    59 Posts

    Re: How to stop su from root

    ‏2013-05-15T16:38:06Z  

    You can't restrict root.

    You can disable root if using RBAC:

    http://pic.dhe.ibm.com/infocenter/aix/v7r1/topic/com.ibm.aix.security/doc/security/rbac_disable_root.htm

  • biblio93
    biblio93
    7 Posts

    Re: How to stop su from root

    ‏2013-05-16T18:15:34Z  

    It's very simply

    Edit the file /etc/ssh/sshd_config

    modify the line

    PermitRootLogin to no

    Stops service by:

    stopsrc -s sshd

    startsrc -s sshd

    vérify the status of the service sshd

    lssrc -a | grep ssh

    sshd --> active

     

  • biblio93
    biblio93
    7 Posts

    Re: How to stop su from root

    ‏2013-05-17T17:05:17Z  
    • biblio93
    • ‏2013-05-16T18:15:34Z

    It's very simply

    Edit the file /etc/ssh/sshd_config

    modify the line

    PermitRootLogin to no

    Stops service by:

    stopsrc -s sshd

    startsrc -s sshd

    vérify the status of the service sshd

    lssrc -a | grep ssh

    sshd --> active

     

    Sory for my first response ( ssh)

     

    Since you are on a AIX you can simply in smitty user choose no in "can other users su user".

     

    command chuser

    subcommand of chuser for user root

    su Indicates whether another user can switch to the specified user account with the su command. Possible values are:

     

     

    true
    Another user can switch to the specified account. This is the default.
    false
    Another user cannot switch to the specified account.
  • dukessd
    dukessd
    345 Posts

    Re: How to stop su from root

    ‏2013-05-18T23:20:17Z  
    • biblio93
    • ‏2013-05-17T17:05:17Z

    Sory for my first response ( ssh)

     

    Since you are on a AIX you can simply in smitty user choose no in "can other users su user".

     

    command chuser

    subcommand of chuser for user root

    su Indicates whether another user can switch to the specified user account with the su command. Possible values are:

     

     

    true
    Another user can switch to the specified account. This is the default.
    false
    Another user cannot switch to the specified account.

    ...and then root can simply change it back to true.

    Root has the system, as a mere user you cannot escape from root in AIX.

    HTH

  • biblio93
    biblio93
    7 Posts

    Re: How to stop su from root

    ‏2013-05-19T07:48:30Z  
    • dukessd
    • ‏2013-05-18T23:20:17Z

    ...and then root can simply change it back to true.

    Root has the system, as a mere user you cannot escape from root in AIX.

    HTH

    if you feel that the root account can not log on to your user.
    What to do if you have a problem on your account.
    root is the adminitration user of UNIX
    At least put in place eg eTrust (product sales) very complicated to implement and administer , or rbac

    you'll spend more time managing your account and machines (through rbac) or implement C2 security
    Good luck in case of access or application problem through your account

     

     

     

  • biblio93
    biblio93
    7 Posts

    Re: How to stop su from root

    ‏2013-05-19T08:08:30Z  
    • biblio93
    • ‏2013-05-19T07:48:30Z

    if you feel that the root account can not log on to your user.
    What to do if you have a problem on your account.
    root is the adminitration user of UNIX
    At least put in place eg eTrust (product sales) very complicated to implement and administer , or rbac

    you'll spend more time managing your account and machines (through rbac) or implement C2 security
    Good luck in case of access or application problem through your account

     

     

     

    It's not so simple with rbac
    I know some company that have established rbac (except Oracle database and management HMC)

     

    In fact for the "su" I think the cleaner is to remove all execute permissions on the / usr / bin / su, then use RBAC to allow some users to execute the command file. Basically you have to create an authorization, a role that you give permission, then replace accessauths = ALLOW_ALL by accessauths = ton_autorisation to the /usr/bin/su. Then you give the users of your choice permission to assume the role that you created (attribute "roles"). You can even give them authomatiquement the role in question (attributes "roles" + "default_roles").

    Look on the side of mkauth orders mkrole, setsecattr, chuser, setkst.

    If you do not trust the root user, it's pretty annoying