Friday, December 28, 2012

Restrict the ability to switch to the root user


Having the ability to be come root is great, but if the wrong person gets the root password then bad things can happen. So lets make it a little harder on them. In the steps below I'm going to make the the su command unusable to a normal user. First we will remove the permissions for other. Then changing the group ownership to sysadmin so only users in the sysadmin group (gid 14) can su and become root.

Change permissions and group ownership on the su command
# cd /usr/bin
# ls -la su

-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su
# /usr/bin/chmod 04750 su
# ls -la su

-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su

Now lets change the su.static file. # cd /sbin
# ls -la su.static

-r-sr-xr-x 1 root sys 21192 Dec 28 12:30 su
# /usr/bin/chgrp syadmin su.static
# /usr/bin/chmod 04750 su.static
# ls -la su.static

-rwsr-x--- 1 root sysadmin 21192 Dec 28 12:30 su.static