Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to remove the SU command ... 1
- Thread starter ratbs75
- Start date
I dont think there is any normal option to enable / disable the su command for individual users, but if you really need to do this, then you could change the permissions of the su file to make it executable only by root and members of a particular group. You would need to create a new group and add your two users to this group, then make su executable by this group as well as root. Users who do not belong to this group would then be unable to execute su.
-
1
- #3
Hello:
There is another way to do this but perhaps is a bit more comples. If you don´t want to install third party software you can make your own sudo software with this C code:
#include <stdio.h>
#include <unistd.h>
#include <sys/errno.h>
main(argc,argv)
int argc;
char *argv[];
{
int uid_res,gid_res;
if (argc<2) exit(1);
if ((gid_res=setgid(0)) == -1)
{
perror("setgid failed"
;
exit(1);
}
if ((uid_res=setuid(0)) == -1)
{
perror();
exit(1);
}
if ((execvp(argv[1],argv+1)) == -1)
{
perror("execvp failed"
exit(1);
}
}
Of course you shoud modify it to only allow some commands and users. For example if you want to only allow some commands to be executed as root commands you should insert the next lines
if (strcmp(argv[1],"command1"&&strcmp(argv[1],"command2"...){
exit (1);
}
With the users you can make the same(take it making a system call like "id" and modify the program to only allow some users to execute it) another way to restrict user access to this program can be create a new group, change the group of the executable file and make those users members of that group.
Of course the executable file should be owned by root and has the set_uid bit.
Best regards,
Mario.
There is another way to do this but perhaps is a bit more comples. If you don´t want to install third party software you can make your own sudo software with this C code:
#include <stdio.h>
#include <unistd.h>
#include <sys/errno.h>
main(argc,argv)
int argc;
char *argv[];
{
int uid_res,gid_res;
if (argc<2) exit(1);
if ((gid_res=setgid(0)) == -1)
{
perror("setgid failed"
;exit(1);
}
if ((uid_res=setuid(0)) == -1)
{
perror();
exit(1);
}
if ((execvp(argv[1],argv+1)) == -1)
{
perror("execvp failed"
;exit(1);
}
}
Of course you shoud modify it to only allow some commands and users. For example if you want to only allow some commands to be executed as root commands you should insert the next lines
if (strcmp(argv[1],"command1"
&&strcmp(argv[1],"command2"...){exit (1);
}
With the users you can make the same(take it making a system call like "id" and modify the program to only allow some users to execute it) another way to restrict user access to this program can be create a new group, change the group of the executable file and make those users members of that group.
Of course the executable file should be owned by root and has the set_uid bit.
Best regards,
Mario.
- Status
Similar threads
- Locked
- Question