Blocking su to root

Sophia Alikhani Sophia Alikhani

Sophia Alikhani

Linux System Administrator

发布日期: 2018年8月26日
+ 关注

Blocking; su to root 

The su (Substitute User) command allows you to become other existing users on the system.

For example you can temporarily become ‘root’ and execute commands as the

super-user ‘root’.

Step 1

If you don’t want anyone to su to root or want to restrict the su command to

certain users then uncomment the following line of your su configuration file

in the /etc/pam.d directory. We highly recommend that you limit the persons

allowed to su to the root account.

Edit the su file (vi /etc/pam.d/su) and uncomment the following line in the file:

auth required /lib/security/pam_wheel.so use_uid

 

After this line has been uncommented, the /etc/pam.d/su file should look like this:

#%PAM-1.0

auth      sufficient  /lib/security/pam_rootok.so

auth      required    /lib/security/pam_wheel.so use_uid

auth      required    /lib/security/pam_stack.so service=system-auth

account   required    /lib/security/pam_stack.so service=system-auth

password  required    /lib/security/pam_stack.so service=system-auth

session   required    /lib/security/pam_stack.so service=system-auth

session   optional    /lib/security/pam_xauth.so

Which means only those who are members of the “wheel” group can su to root;

it also includes logging. Note that the “wheel” group is a special account on your system that can be used for this purpose.

You cannot use any group name you want to make this hack. This hack combined with specifying  which TTY and VC devices super-user root is allowed to login on

will improve your security a lot on the system.

Step 2

Now that we have defined the “wheel” group in our /etc/pam.d/su file configuration, it is time to add some users who will be allowed to su to super-user “root” account.

If you want to make, for example, the user “admin” a member of the “wheel” group, and thus be able to su to root, use the following command:

[root@MisLinux /]# usermod -G10 admin

Which means “G” is a list of supplementary groups, where the user is also a member of.

“??” is the numeric value of the user’s ID “wheel”, and “admin” is the user we want to add to the “wheel” group.

Use the same command above for all users on your system you want to be able to su to super-user  “root” account.

NOTE: For Linux users, who use the Xwindow interface, it is important to note that if

you can't su in a  GNOME terminal, it’s because you’ve used the wrong terminal.

(So don't think that this advice doesn't work simply because of a GNOME terminal problem!)

  

Facultative:

A special line exists in the su file /etc/pam.d/su which allows you to implicitly trust users in the “wheel” group (for security reasons, I don’t recommend using this option).

This mean that all users who are members of the “wheel” group can su to root without the need to enter the super-user “root” password.

To allow users who are members of the “wheel” group to su to root account without      the need to enter the “root” password, edit the su file (vi /etc/pam.d/su) and

      uncomment the following line in the file:

auth sufficient /lib/security/pam_wheel.so trust use_uid

After this line has been uncommented, the /etc/pam.d/su file should look like this:

 

#%PAM-1.0

auth      sufficient  /lib/security/pam_rootok.so

auth      sufficient  /lib/security/pam_wheel.so trust use_uid

auth      required    /lib/security/pam_stack.so service=system-auth

account   required    /lib/security/pam_stack.so service=system-auth

password  required    /lib/security/pam_stack.so service=system-auth

session   required    /lib/security/pam_stack.so service=system-auth

session   optional    /lib/security/pam_xauth.so

 

Using sudo instead of su for logging as super-user

There is a security tool called “sudo” that we discuss later .

This security software  allow us to archive the same result as using the su command to get root privilege on the  server but in a more secure and informative way. With sudo installed in our server, we can get information about who is connected as super-user root as well as many other useful features.

Please see the chapter related to this security program into this book for more

information  about sudo.

If you want to use sudo to allow and control which is allowed to logging as super-user root on your server, then you no longer need to use the su command of Linux to archive

this task  and we can remove the SUID bit on this command to completely disable su and use sudo.

This let us remove one more SUID bit on our secure server and have a more complete and  powerful security software to control access to super-user root.

This is the method I highly recommend you to use instead of the su command of Linux. 

Step 1

To archive this result, we have to remove the SUID bit of the su command and install the sudo security software . This also implies that we don’t need to modify the above su configuration file on our system. To recap, all we need  to do is to remove the SUID bit on the su command, and install sudo in our server.

 

To remove the SUID bit on the su binary, use the following command:

[root@MisLinux /]# chmod  a-s   /bin/su


要查看或添加评论,请登录

Sophia Alikhani的更多文章

  • Copy Files to Multiple Directories
    2023年9月25日

    Copy Files to Multiple Directories

    Copy Files to Multiple Directories While learning Linux, it is always the norm for newbies to keep typing several…

  • Secure Files/Directories using ACLs (Access Control Lists) in Linux
    2023年9月18日

    Secure Files/Directories using ACLs (Access Control Lists) in Linux

    Secure Files/Directories using ACLs (Access Control Lists) in Linux Let’s say, you have three users, ‘student1‘…

  • Linux Process & Threads
    2023年9月10日

    Linux Process & Threads

    We always hear people using two terms very often. One is ?Process? and the other is ?thread?.

  • PAM-The Login access control table
    2023年9月9日

    PAM-The Login access control table

    The Login access control table On a server environment where authorized and legitimate logins can come from everywhere,…

  • PAM-Controlling access time to services
    2023年9月9日

    PAM-Controlling access time to services

    Controlling access time to services As the Linux-PAM system said, running a well-regulated system occasionally involves…

  • PAM-Disable Console Access
    2023年9月9日

    PAM-Disable Console Access

    Tighten console permissions for privileged users The console.perms security file of Linux, which use the pam_console.

  • Blocking su to root
    2023年9月9日

    Blocking su to root

    Blocking; su to root, by one The su (Substitute User) command allows you to become other existing users on the system…

  • #Hardening #Security #Tips for #Linux #Servers
    2023年9月8日

    #Hardening #Security #Tips for #Linux #Servers

    1. Physical System Security Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS.

    1 条评论
  • Linux Physical Memory Concept: Zone
    2018年9月9日

    Linux Physical Memory Concept: Zone

    Zones Each zone is described by a struct zone_struct. zone_structs keep track of information like page usage…

    2 条评论
  • Linux physical memory concept:NODE
    2018年9月9日

    Linux physical memory concept:NODE

    Nodes As I have mentioned, each node in memory is described by a pg_data_t, which is a typedef for a struct…

    1 条评论

社区洞察

其他会员也浏览了