Tuesday, August 14, 2007

restrict su command to superuser only

Man su says:
su - run a shell with substitute user and group IDs

Restricting su command to root superuser only is really simple. Here are the quick steps.

First, determining the path location of the binary is required.

# which su

returns
~~~~~~~~~~~~~~~
/bin/su
~~~~~~~~~~~~~~~

Remember the current file mode bits and restrictions for su binary
# ls -la /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-rwxr-xr-x 1 root root 24284 Sep 28 2006 /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Noticed that su binary is world executable and world readable. This basically means anybody can call and execute the su binary and gain access to perhaps stolen password with bash-enabled user accounts. If you wish to change this, you can issue the following command as follows

# chmod 700 /bin/su

So, only root and root alone can call su binary command.

Note that, it is not advisable to do this if your su binary is set to suid root, that has similar attributes like below:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-rwsr-xr-x 1 root root 27052 2007-04-02 16:33 /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

as it could affect some apps and package that links to suid root-ted su binary.

The other way around is to modify su pam settings for authenticated usage of su binary.

That's all.

0 comments:

Sign up for PayPal and start accepting credit card payments instantly.
ILoveTux - howtos and news | About | Contact | TOS | Policy