as root do the following:
1. groupadd wheel
the group wheel is normally the rule of thumb group to be used for this and if it does not already exist on the machine it is created
2. chown root:wheel /bin/su
this is just used to formally change it to the owner root and group to wheel
3. chmod o-x /bin/su
we are taking off execute permissions on su so that now it can only be executed bu root and the wheel group
(alternatively the following can be done chmod 04750 /bin/su)
4. usermod -G users, wheel username
note all the user's group need to be listed here as this command does not add only but removes the user name from groups not listed but was originally
This will only take into effect tho if a new shell is started (dunno why just my expierience)
There you have it a very simple way to secure su. there are a couple of more things one can do but this is a good place to start. Using Pam module nice also a nice way, but you that is a story for another day.
PS I just discovered the SUID, SGID, and the sticky bit and what it means for the system
"By default, when a user executes a file, the process which results in this execution has the same permissions as those of the user. In fact, the process inherits his default group and user identification.
If you set the SUID attribute on an executable file, the process resulting in its execution doesn't use the user's identification but the user identification of the file owner." .... http://www.linuxforums.org/security/file_permissions.html
No comments:
Post a Comment