is it possible....

honeymak · Guru Joined: 30 Dec 2002 Posts: 596

to limit some accounts NOT to be su by any others except root?

i don't mean the capability of running the su command

e.g. i want user account A that will never be su by user account B who is capable of running su command
so,

root can su - A
while
userB CANNOT su - A AND userB CAN su - C

:oops:

_________________
hackers - make sth real
academics - read sth said to be real

shazeal · Posted: Wed May 19, 2010 1:50 am Post subject:

Dont tell userB userA's password? Sorry its hard to see why you would want a system like this in the first place?

honeymak · Guru Joined: 30 Dec 2002 Posts: 596

when auditors are at your back,
u know why
_________________
hackers - make sth real
academics - read sth said to be real

rainer · Posted: Wed May 19, 2010 12:21 pm Post subject:

Isn't that what the wheel group is good for?

User A --> member of wheel group --> can su
User B --> not member of wheel group --> cannot su

I'm not sitting in front of my Gentoo machine right now - but that's what I remember...

wthrowe · Tux's lil' helper Joined: 19 Aug 2009 Posts: 141

Use sudo instead of su. It allows finer grained control of who can do what as whom.

honeymak · Guru Joined: 30 Dec 2002 Posts: 596

hm.....seems this is the missing use case for su/sudo design

i am not needing any capability to be doing anything as anyone

i just want certain accounts that CANNOT be su-ed by any others except root
u may say 'deny to be su-ed except root'
:oops:

_________________
hackers - make sth real
academics - read sth said to be real

rainer · Posted: Wed May 19, 2010 2:42 pm Post subject:

Not sure whether I understand. What do you mean with "be su-ed by any others"?

Probably your problem can be solved by rights allocation.

wthrowe · Tux's lil' helper Joined: 19 Aug 2009 Posts: 141

I still think sudo can do what you want, although you might have to list all the allowed users. Something like (UNTESTED)

phajdan.jr · Posted: Wed May 19, 2010 5:31 pm Post subject:

From what I understand, you want to disallow user A to use so to become user B.

But if user A is allowed to use su, he can su to root, and the su to B. If you want to allow user A to su to some users, but not others, sudo seems to be a better option.

But the simplest solution is to not let the users use su at all.
_________________
http://phajdan-jr.blogspot.com/

honeymak · Guru Joined: 30 Dec 2002 Posts: 596

wthrowe's reply is more likely....but seems a tedious task...becoz that's not by design, i can't negate
so i have to do ALL users x ALL targets cases :cry:

phajdan.jr, it's not possible in my situation
:cry:

_________________
hackers - make sth real
academics - read sth said to be real

honeymak · Guru Joined: 30 Dec 2002 Posts: 596

ooops.....seems i just found my answer in sudoers manpage
:oops:

i will give it a try
:twisted:

_________________
hackers - make sth real
academics - read sth said to be real