There's a feature I reall ylike in FreeBSD that's I haven't seen implemented in Solaris.
In FreeBSD you can only "su" if you are part of the 'wheel' group... this isn't the case with my Solaris box.
I want to know how I can set my solaris box so that only people who are part of the 'sysadmin' group (of if I have to make a wheel group) are the only ones able to "su" to root.
Hi xyyz,
You could lock down the actual binary and only give execute permissions to what ever group you want. For example, below you said you have a sysadmin group. You could do this to su:
chown root:sysadmin su
chmod 550 su
I don't know what side effects there could be from doing this as I haven't tried it. Default perms on my box are -r-sr-xr-x, which kind of implies that there may be a reason everyone has execute by default.
If that doesn't work for you there is always pam or sudo.
TioTony
The su program needs to have its effective uid set to zero as it runs. Changing the permissions to 550 creates an su program that only root can use. You need to do:
chmod 4550 su
if you're going to do this. And you could create a wheel group while you're at it. This is how bsd did it. They just create the wheel group, set the su program to be group wheel and the mode to be 4550.
Hi,
If your version of su is PAM enabled then you could enable the wheel group module in the /etc/pam.d/su config file.
I can't recall the precise syntax but I't may be that the line need uncommenting to allow this feature to work.
Andy.
If you are using Solaris, go in and set a File access control list on the su command and give the execute permissions to the group 14. this is the easiest way to do the restrictions you want to.
hope this helps.
Michael