Re: [newbie] deny access to su
Mike, You've just made what is my point for me in the following: Mike Oliver wrote: Or maybe it's to prevent *inadvertant* rather than malicious damage? Something like: People in our group might find out the root pword and be tempted to su to quick-fix some difficulty they're having, then they might break something and we wouldn't know who was responsible, so we'll just remove the temptation? I guess that makes a certain amount of sense, but it's not terribly flattering to your coworkers. You can't set everyday policy based upon occasional problems. It's a pain until it becomes habit, but in the long run, it's much easier to set up an ID whose sole function is to collect e-mail reports of system problems. This assumes you don't have some fancy help desk system already in place. Then, unless you have an unmanageable bureaucracy -- and that's another problem entirely -- the SAs can prioritize them and systematically resolve them. There are generally enough things to do in an SA's day/week without having to sweep up after inadvertent damage. Not to mention the time wasted trying to figure out what went wrong, and how to fix it. The smaller the list of super-users the less likely someone will fat finger a critical file, and when it does happen, the more likely it will be fixed in a timely fashion, since the perpetrator is more easily identified, and has a more accurate idea of what they did wrong. In my former life, I was in a group of 4 Sys Admins who were the only keepers of the root password, including our supervisor. In fact, he insisted on not knowing to avoid those types of situations, since he appreciated our efforts in a normal environment, with fewer curve balls thrown our way. I've had mixed feeling about giving users the root password to their own workstations. This had been a thorny issue for us in the past. On the one hand, it's easy for someone to fix their own problems, assuming they know what they're doing. On the other hand, my experience is that (myself included) there is a tendency to wait one or two fat finger actions too late to ask for help and have things fixed quickly. It's just too much hassle to set up and admin some sort of competency test. We sort of settled on a policy of if you want to do it yourself, take the classes. Most would not. Budgets being what they are, there are a certain number of dollars (euros, whatever) allocated per employee for training, and they wished to take other things. That was fine, just don't cry about us not being fast enough, or again, take the classes and become part of the solution, not another problem. The worst part of this sweeping up is the SA has to try and troubleshoot something while said user is generally hovering over their shoulder, harrumphing and often complaining they need to get work done. As if we (the SAs) have nothing better to do all day than go from desk to desk holding hands. And, if you're real lucky, you may even get a Thank you or a free cup of coffee. Like I ever need extra caffeine! At that point, I would politely ask them to tell my boss, not just me. That way, he/she would have some idea why my real job wasn't getting done on time. My 2 cents. _/_/_/_/_/ _/_/ _/ Ted J. Wagner _/ _/_/ _/ _/ ((( Soundwaves ))) _/ _/_/ _/_/ _/ Fender Bender _/ _/_/_/_/ _/_/ Have Guitar, Will Travel _/ _/_/_/_/_/ _/[EMAIL PROTECTED] Linux *is* user-friendly, just picky who it chooses for friends! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
thanks to all who helped. esp. michael, this works, and is what i wanted to do. - Original Message - From: Michael Viron [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 14, 2002 1:24 PM Subject: Re: [newbie] deny access to su Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. Michael -- Michael Viron Core System Administration Team Simple End User Linux At 12:23 PM 5/14/2002 +0800, you wrote: hi, i'm running mandrake 8.2. i would like to deny certain user groups from running su. eg, if i create a group project, and wanna deny all users of project from being able to su. how do i do it? i've tried manually removing users from the wheel group, in /etc/group, but somehow the users can still su. am i doing something wrong? thanks -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
Michael Viron wrote: Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. I have to say I find this option kind of puzzling. What's the rationale exactly? Why couldn't an opponent who knew the root pword just execute his *own* copy of su? It seems it would have nuisance value at best. Not that nuisance value couldn't be of some practical use, provided the security admin doesn't think it's a substitute for safeguarding passwords. Or maybe it's to prevent *inadvertant* rather than malicious damage? Something like: People in our group might find out the root pword and be tempted to su to quick-fix some difficulty they're having, then they might break something and we wouldn't know who was responsible, so we'll just remove the temptation? I guess that makes a certain amount of sense, but it's not terribly flattering to your coworkers. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
On Tue, 14 May 2002 13:21:59 -0700 Mike Oliver [EMAIL PROTECTED] wrote: Michael Viron wrote: Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. I have to say I find this option kind of puzzling. What's the rationale exactly? Why couldn't an opponent who knew the root pword just execute his *own* copy of su? It seems it would have nuisance value at best. Not that nuisance value couldn't be of some practical use, provided the security admin doesn't think it's a substitute for safeguarding passwords. Or maybe it's to prevent *inadvertant* rather than malicious damage? Something like: People in our group might find out the root pword and be tempted to su to quick-fix some difficulty they're having, then they might break something and we wouldn't know who was responsible, so we'll just remove the temptation? I guess that makes a certain amount of sense, but it's not terribly flattering to your coworkers. hmm.. how about denying read access too? Damian Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
Hi Damian, Tuesday, May 14, 2002, 10:13:55 PM, you wrote: DG On Tue, 14 May 2002 13:21:59 -0700 DG Mike Oliver [EMAIL PROTECTED] wrote: Michael Viron wrote: Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. I have to say I find this option kind of puzzling. What's the rationale exactly? Why couldn't an opponent who knew the root pword just execute his *own* copy of su? It seems it would have nuisance value at best. Not that nuisance value couldn't be of some practical use, provided the security admin doesn't think it's a substitute for safeguarding passwords. Or maybe it's to prevent *inadvertant* rather than malicious damage? Something like: People in our group might find out the root pword and be tempted to su to quick-fix some difficulty they're having, then they might break something and we wouldn't know who was responsible, so we'll just remove the temptation? I guess that makes a certain amount of sense, but it's not terribly flattering to your coworkers. DG hmm.. how about denying read access too? DG Damian With best wishes, Dave -- David Conroy MSW Consultant, Trainer Management Coach International Coach Federation, ID 100666 Voluntary sector support: http://www.coaching-lab.com Coaching via e-mail: http://www.e-coaching-only.com Coaching for women: http://www.womens-life-coach.com Web development/hosting: http://www.turnkey-coach.com ICQ 127865569 Phone/Fax +44 (0)1225 314694 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
Damian G wrote: On Tue, 14 May 2002 13:21:59 -0700 Mike Oliver [EMAIL PROTECTED] wrote: Michael Viron wrote: Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. I have to say I find this option kind of puzzling. What's the rationale exactly? Why couldn't an opponent who knew the root pword just execute his *own* copy of su? It seems it would have nuisance value at best. Not that nuisance value couldn't be of some practical use, provided the security admin doesn't think it's a substitute for safeguarding passwords. hmm.. how about denying read access too? What would stop the opponent from transferring a copy of su from another machine? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
Mike Oliver wrote: Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. I have to say I find this option kind of puzzling. What's the rationale exactly? Why couldn't an opponent who knew the root pword just execute his *own* copy of su? It seems it would have nuisance value at best. Not that nuisance value couldn't be of some practical use, provided the security admin doesn't think it's a substitute for safeguarding passwords. The rationale is you only allow a certain set of users to have execute permission for su. This gives another layer of security, as only members of the wheel group would be able to even attempt to run su. The wheel group would be made up of SA's who would understand proper security procedures with both thier own password and system or network passwords. So breaking into one of their accounts should be harder than a typical user. One cannot have his own copy of su. su is completly worthless without the +s bit set. Only root can set that bit. So your own copy of su would do nothing even if you knew the root password. At most you'd be able to su to yourself. Give it a try on any unix system... Or maybe it's to prevent *inadvertant* rather than malicious damage? Something like: People in our group might find out the root pword and be tempted to su to quick-fix some difficulty they're having, then they might break something and we wouldn't know who was responsible, so we'll just remove the temptation? I guess that makes a certain amount of sense, but it's not terribly flattering to your coworkers. If any user can find out the root password then there is already some serious problems going on with security procedures and policy. -- Bryan Whitehead SysAdmin - JPL - Interferometry Systems and Technology Phone: 818 354 2903 [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
On Tue, 14 May 2002 22:27:58 +0100 Dave Conroy [EMAIL PROTECTED] wrote: Hi Damian, Tuesday, May 14, 2002, 10:13:55 PM, you wrote: quote of a post i made... With best wishes, Dave umm.. what's up with this? i've seen at least four or five replies like this from 'Dave' to several ppl here, including me now... is this some kind of badly-written auto-reply thing? Damian Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
I'm not saying that it's the best way to do things, but they did ask if it was possible It's much better to have users you trust on your box then to have ones you don't. Actually, the below is only part of the answerthere is something in the shells that can be done to ignore any executables under a user directory, for example...I've never actually done it, but I've been on servers that were set up that way. Michael -- Michael Viron Core Systems Administration Team Simple End User Linux At 01:21 PM 5/14/2002 -0700, you wrote: Michael Viron wrote: Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. I have to say I find this option kind of puzzling. What's the rationale exactly? Why couldn't an opponent who knew the root pword just execute his *own* copy of su? It seems it would have nuisance value at best. Not that nuisance value couldn't be of some practical use, provided the security admin doesn't think it's a substitute for safeguarding passwords. Or maybe it's to prevent *inadvertant* rather than malicious damage? Something like: People in our group might find out the root pword and be tempted to su to quick-fix some difficulty they're having, then they might break something and we wouldn't know who was responsible, so we'll just remove the temptation? I guess that makes a certain amount of sense, but it's not terribly flattering to your coworkers. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
On Tue, 14 May 2002 14:50:01 -0700 Mike Oliver [EMAIL PROTECTED] wrote: Damian G wrote: On Tue, 14 May 2002 13:21:59 -0700 Mike Oliver [EMAIL PROTECTED] wrote: Michael Viron wrote: Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. I have to say I find this option kind of puzzling. What's the rationale exactly? Why couldn't an opponent who knew the root pword just execute his *own* copy of su? It seems it would have nuisance value at best. Not that nuisance value couldn't be of some practical use, provided the security admin doesn't think it's a substitute for safeguarding passwords. hmm.. how about denying read access too? What would stop the opponent from transferring a copy of su from another machine? hmm ok ok ok what about this. ;oP this gets better, how about moving the su executable to a dedicated directory and denying to other users permission to acces or list that dir? for example something like this. mkdir /bin/SU mv /bin/su /bin/SU/su and then add an alias system-wide alias su /bin/SU/su so if the directory /bin/SU is locked for certain people, they would get no access? Damian Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
Damian G said onto me: -- |On Tue, 14 May 2002 22:27:58 +0100 |Dave Conroy [EMAIL PROTECTED] wrote: | | Hi Damian, | | Tuesday, May 14, 2002, 10:13:55 PM, you wrote: | | quote of a post i made... | | | With best wishes, | | Dave | | |umm.. what's up with this? i've seen at least four or five |replies like this from 'Dave' to several ppl here, including me now... | |is this some kind of badly-written auto-reply thing? | |Damian But remember, there's more than one 'Dave' on this list. Just watch where you point that flame thrower.. another Dave -- -- °°° David L. Steiner Registered Linux User #262493 Mandrake 8.2 Enlightenment 0.16.5 Sylpheed 0.7.5claws Email: [EMAIL PROTECTED] Homepage: www.davidlsteiner.com °°° Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] deny access to su
hi, i'm running mandrake 8.2. i would like to deny certain user groups from running su. eg, if i create a group project, and wanna deny all users of project from being able to su. how do i do it? i've tried manually removing users from the wheel group, in /etc/group, but somehow the users can still su. am i doing something wrong? thanks -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
Change the group ownership on su to root:wheel . Next, remove execute permission from other on su. Michael -- Michael Viron Core System Administration Team Simple End User Linux At 12:23 PM 5/14/2002 +0800, you wrote: hi, i'm running mandrake 8.2. i would like to deny certain user groups from running su. eg, if i create a group project, and wanna deny all users of project from being able to su. how do i do it? i've tried manually removing users from the wheel group, in /etc/group, but somehow the users can still su. am i doing something wrong? thanks -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] deny access to su
Stormjumper wrote: hi, i'm running mandrake 8.2. i would like to deny certain user groups from running su. eg, if i create a group project, and wanna deny all users of project from being able to su. how do i do it? i've tried manually removing users from the wheel group, in /etc/group, but somehow the users can still su. am i doing something wrong? thanks -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Nope, you aren't If you want to keep users from using su, then don't give them the root password. Instead, those who need to be su'ed for a while should be added to /etc/sudoers using visudo as the editor. and use their own password to be superuser equivalent for the commands you decide to permit. But nothing short of moving/removing su from the system will prohibit users from attempting to su. Naturally if they don't know the root password (or don't know that you moved su to /sbin) then they cannot become su. Civileme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com