Man su says:
su - run a shell with substitute user and group IDs
Restricting su command to root superuser only is really simple. Here are the quick steps.
First, determining the path location of the binary is required.
# which su
returns
~~~~~~~~~~~~~~~
/bin/su
~~~~~~~~~~~~~~~
Remember the current file mode bits and restrictions for su binary
# ls -la /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-rwxr-xr-x 1 root root 24284 Sep 28 2006 /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Noticed that su binary is world executable and world readable. This basically means anybody can call and execute the su binary and gain access to perhaps stolen password with bash-enabled user accounts. If you wish to change this, you can issue the following command as follows
# chmod 700 /bin/su
So, only root and root alone can call su binary command.
Note that, it is not advisable to do this if your su binary is set to suid root, that has similar attributes like below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-rwsr-xr-x 1 root root 27052 2007-04-02 16:33 /bin/su
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
as it could affect some apps and package that links to suid root-ted su binary.
The other way around is to modify su pam settings for authenticated usage of su binary.
That's all.
No comments:
Post a Comment
Thanks for the comment and for peeping into my blogspot. Hope you enjoy your reading them.
If you wish to receive posts updates, you can subscribe directly from this link:
http://feeds.feedburner.com/VertitosBlogspot
using any RSS reader or even Google Reader.
Again, appreciate your site visits.
Cheers then
VeRTiTO
Email: vertito@gmail.com