Logging in and then su to root

eyounes · March 8, 2002, 4:25am

We have several people that log in using root. What I need to do is have everyone to log in using there own account then su to root. How would I do this. We have aix 4.2

killerserv · March 8, 2002, 4:42am

Cant understand your question...

Are you trying to say everyone login their own password and also use su root login? su command can be usen by anyone having to know the root password are you saying that you want to prevent that login ? Please re-define your question.

eyounes · March 8, 2002, 5:17am

hello,
thanks for your reply ,
yes, it will be helpful for me to prevent them to use su command
.is there any way

killerserv · March 8, 2002, 6:04am

First of all the su command can/must be used by previeleged users ie. root. Frequent change of password must be done to obtain maximum security between the server site and client side.

one way to do it is to add a script to either /etc/profile or the particular user's .profile that tests to restrict the user. Something like this in /etc/profile will work:

IAM=`who am i | cut -d" " -f1`
COUNT=`w | cut -d" " -f1 | grep "^$IAM$" | wc -l`
[ $COUNT -gt 1 ] && exit 0

Not sure whther that command works or not but one thing for suggestion. Do not disable the password. Changing the password will do (just an advise). In case of problem then your user might face some problem.

LivinFree · March 8, 2002, 7:26am

Wait, your first post says that people are curretly logging in as root, and that you want them to log in as themselves and use su to get root.

Your second post says that you don't want them using su.

I'm lost.

OK... lets see...

If you don't want people to log directly in as root, edit the /etc/securetty file (different for some versions of Unix - post back with which Unix you're using, and we can help you).

If you want to limit the people who can use su, you could change the group on it to something else (wheel is very common), and remove the rights for everyone else, so that only those in the wheel group can execute the su command. su does not have to be run by a priveleged user, but it's a good idea to limit those who can use it to prevent abuse and brute force attempts.

If you don't want su either, look into sudo. It gives you the ability to limit what users can execute which commands as superuser.

If none of these satisfy your question, please post back with exactly what you need.

rwb1959 · March 8, 2002, 10:33am

Here's a link that may help.
It gives you a "checklist" of things to
look for and possibly correct.

http://www.cop.vt.edu/unix/aix.security.html