Original Post: >I have users on Solaris 2.6 NIS environment on Sparc20s. >Users have root passwd for their workstations. >They can become root on their workstation and su to whomever >they want from NIS passwd file. >How do I stop this without taking their root passwd away? Thanx all for your replies. Too many to list. Majority of answers said "Can't be done without removing su" and "use sudo" Below are a few different suggestions...last 2 replies pasted below still wouldn't stop users su'ing to someone else once they are root..I think Only way I can think of is something like CA/eTrust/SeOS... =============================================================== The obvious technical solution is to configure all your *other* machines so that they don't trust the workstations in question. That means no NFS exports (except read-only exports of non-sensitive information), no hostbased authentication for ssh, no /etc/hosts.equiv entries, etc. It may also be possible to Kerberize your installation. One of the merits of Kerberos is precisely that it authenticates users centrally, and does *not* trust the (insecure) workstations to do this. ==================================================================== Use "powerbroker" =============================================================== retrict the su command instead. Change /usr/bin/su to mode 4750. Change its group to a totally new group (I use group 15, which I have named "sugroup"). In the /etc/group file, define that group and explicitly list whom is allowed to use the su group. (Be sure to include root!). So the only way they can become root is to log in locally. Since their NIS master is presumably in a data center that is not physically accessible, that should keep em out. ============================================================== Make up a group called "wheel" (name stolen from BSD...) ypcat group | grep wheel wheel::15:comma,separated,list,of,users,which,is,ALLOWED,to,su on all yourt clients: #chmod 4550 /usr/bin/su /sbin/su.static #chown root:wheel /usr/bin/su /sbin/su.static Now, only users in group wheel can run "su" =============================================================== _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Sep 27 12:07:06 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:55 EST