Securing and Optimizing Linux:RedHat Edition | All about OS

Blocking anyone to su to root

Категория: Securing and Optimizing

The su (Substitute User) command allows you to become other existing users on the system. For example you can temporarily become “root” and execute commands as the super-user “root”. If you don’t want anyone to su to root or restrict “su” command to certain users then add the following two lines to the top of your “su” configuration file in the 7etc/pam.d/” directory. We highly recommend that you limit the person allowed to “su” to the root account.
Stepi
Edit the su file (vi /etc/pam.d/su) and add the following two lines to the top of the file:
auth sufficient/lib/security/pamrootok.so debug auth required /lib/security/pamwheel.so group=wheel
After adding the two lines above, the 7etc/pam.d/su” file should look like this:
#%PAM-1.0
auth sufficient
auth required
auth required
account required
password required
password required
session required
session optional
/lib/security/pamrootok.so debug /lib/security/pamwheel.so group=wheel
/lib/security/pam_pwdb.so shadow nullok
/lib/security/pam_pwdb.so
/lib/security/pam_cracklib.so
/lib/security/pam _pwdb.so shadow use_authtok nullok
/lib/security/pam_pwdb.so
/lib/security/pam_xauth.so
Which mean only those who are a member of the “wheel” group can su to root; it also includes logging. Note that the “wheel” group is a special account on your system that can be used for this purpose. You cannot use any group name you want to make this hack. This hack combined with specifying which TTY devices root is allowed to login on will improve your security a lot on the system.
Step 2
Now that we have defined the “wheel” group in our 7etc/pam.d/su” file configuration, it is time to
add some users allowed to “su” to “root” account. If you want to make, for example, the user
“admin” a member of the “wheel” group, and thus be able to su to root, use the following
command:
[root@deep /]# usermod -G10 admin
Which means “G” is a list of supplementary groups, where the user is also a member of. “10″ is the numeric value of the user’s ID “wheel”, and “admin” is the user we want to add to “wheel” group. Use the same command above for all users on your system you want to be able to su to “root” account.
NOTE: If you can’t su in a GNOME terminal, it’s because you’ve used the wrong terminal. (So don’t think that this advice doesn’t work simply because of a terminal problem!)

« Special accounts
Resource limits »