Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Where is my wheel group? 2

Status
Not open for further replies.
ksas025

ksas025

Technical User
Jun 3, 2004
92
US
I am using AIX 4.3 and I would like to tighten up the ability to su. I know my linux box has a wheel group where I can explicitly specify who has su access.

My AIX servers do not have this group.

Is it as simple as just creating the group and adding users to it? How is the wheel group authentication enabled.
 
Sort by date Sort by votes
You would need to create an administrative group and add that group to the SU GROUP value for root. You can maintain tighter control over root access with sudo.
You can find info on it here
[morning] needcoffee
 
Upvote 0 Downvote
So there is no wheel group equivalent for AIX?

Is sudo the only other way to prohibit groups of users from su'ing to root with AIX?

Thanks for the replies.
 
Upvote 0 Downvote
In AIX a user has an attribute sugroups, which is a list of groups. A user belonging to any one of these groups, is allowed to su to said user. As needcoffee already pointed out.

So:
1) create an admin group 'allowsu'
2) put that group in root's sugroups
3) add users to that group 'allowsu'

users that are in group 'allowsu' will be allowed to su to root

# mkgroup admin=yes allowsu
# chuser sugroups=allowsu,system,sys # check contents of this attribute first
# chuser groups=staff,allowsu bill # check contents of groups attr for user bill first

or use smit to do all this.

now bill can su to root (if he knows root'd password)


HTH,

p5wizard
 
Upvote 0 Downvote
I omitted root from the second command - typed my response from home, didn't check it on an aix box

# mkgroup admin=yes allowsu
# chuser sugroups=allowsu,system,sys root # check contents of sugroups attribute for user root first
# chuser groups=staff,allowsu bill # check contents of groups attr for user bill first

here's a real example:

# id
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit)
# lsuser -a sugroups root
root sugroups=system,bin,sys,adm,security,cron,audit
# mkuser bill
# su - bill
$ id
uid=205(bill) gid=1(staff)
$ su -
root's Password: ********
Cannot su to "root" : Authentication is denied.
$ exit
# lsuser -a groups bill
bill groups=staff
# mkgroup admin=true allowsu
# chuser sugroups=system,bin,sys,adm,security,cron,audit,allowsu root
# chuser groups=staff,allowsu bill
# su - bill
$ id
uid=205(bill) gid=1(staff) groups=204(allowsu)
$ su
root's Password: ********
# id
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit)
# exit
$ exit
#



HTH,

p5wizard
 
Upvote 0 Downvote

It is all clear to me now. Thanks so much for the response!!!!
 
Upvote 0 Downvote
If you want, you can name that "allowsu" group "thewheel" , "wheel" or "suwheel", that should make it obvious to you what it's there for.

Thanks for the *!


HTH,

p5wizard
 
Upvote 0 Downvote
Actually, what I am going to do is the following:

1. create group nosu
2. Add the no SU users to the nosu group
3. Edit /etc/security/user and add sugroups = !nosu to the global section. This essentially disallows group nosu from su'ing to anything.

Does this implementation seem valid?

Thanks again.

A.
 
Upvote 0 Downvote
Never done it that way, but according to manpage that should work:

man chuser said:
sugroups
Lists the groups that can use the su command to switch to the specified user account. The Value parameter is a comma-separated list of group names, or a value of ALL to indicate all groups. An ! (exclamation point) in front of a group name excludes that group. If this attribute is not specified, all groups can switch to this user account with the su command.
Click to expand...

HTH,

p5wizard
 
Upvote 0 Downvote
Adding !nosu will work but is not a best-practice in my mind. All you are doing is preventing a user in the group from using the su tool. If you create a new user and forget to place them in this group you potentially give them an access hole to exploit. Anyone which chuser access to strip this group off a user which could give them access to root if the password was known.

It is better to create an administrative group per p5wizard's instructions and add the group to root's SUGROUP attribute. This way only people in that group can su to root. To further increase your security change the permissions on /usr/bin/su from 4555 to 4550 using chmod. This way only root and people in the security group can use su.

[morning] needcoffee
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ui05067
  • Locked
  • Question
Runnign AIX ftpd someone is att
Replies
4
Views
167
iggsterman
iggsterman
JC01
  • Locked
  • Question
rpm -ivh libgcc-6.3.0-1.aix7.2.ppc.rpm error: Failed dependencies: AIX-rpm >= 7.2.0.0 is needed
Replies
2
Views
192
JC01
JC01
AnjuSingh
  • Locked
  • Question
Can anyone tell me what is the late
Replies
1
Views
100
KenCunningham
KenCunningham
MauriceClev3137
  • Locked
  • Question
I would like to set my env shell on AIX to Bsh.
Replies
2
Views
99
trifo
trifo
PravinKatkade
  • Locked
  • Question
AIX IP filtering issue
Replies
1
Views
101
unixfreak
unixfreak

Part and Inventory Search

Sponsor

Back
Top