| |
First we look at the man pages for Linux su explained in su -. Run a shell with substitute user and group IDs, that is to say we do not provide the user via su and group names can start a shell program is a binary executable su file, the file path where the command is / bin / su, the following command line query by file type su and the path where:
Example One:
islab $ which su
/ Bin / su
Example Two:
islab $ file / bin / su
/ Bin / su: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), for GNU / Linux 2.6.9, stripped
Example 3:
islab $ ll / bin / su
-rwsr-xr-x 1 root root 24060 Jan 10 2007 / bin / su
Example Three Example II, we can see that su is a setuid program (setuid bit can use the chmod u + s set, such as ls displays the file owner attribute hired a su setuid bit), in this case, su can be obtained higher authority than its owner, that is to say, when running su, your access will be improved, will be equivalent with root privileges.
Example Three, we can see that the file type is ELF 32-bit LSB shared object (the setuid bit), that this program needs to libc library, which requires the use of the ELF interpreter, and comply with the LSB specification.
Q. One: Ordinary users can copy from other machines su command.
A: They can copy from other machines su command, but they will not be able to set permissions correctly su such as chown root and chmod u + s and so it can be copied su does not work properly.
Q 2: How to prevent ordinary users to run su command.
answer:
1) You can set up a special group, only the group members can execute su command
islab # groupadd wheel
islab # useradd wheel
islab # chown root: mysql / bin / bash
islab # chmod 4750 / bin / su
2) Only the root user can execute su command.
islab # chmod 4700 / bin / su
3) By pam library to achieve only wheel group members can execute su command, the following example adds zhaoke account to wheel group.
islab # groupadd wheel
islab # useradd wheel
islab # usermod -G wheel zhaoke
islab # ll /lib/security/pam_wheel.so
-rwxr-xr-x 1 root root 5692 Feb 22 2007 /lib/security/pam_wheel.so
islab # vi /etc/pam.d/su
Add the following line
auth required /lib/security/pam_wheel.so use_uid
Exit su and then save the configuration file.
Q. Three: While the average user can not execute su command, but may also be obtained through the root password brute-force attack
A: normal users can shell or ssh brute force way to attack the root account, we can consider using some security tools such as pam_abl to ssh to protect pam_abl will be able to set time for the wrong login account temporarily ban Of course ordinary users can also program vulnerabilities elevated privileges through, such as a buffer overflow. |
|
|
|