Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux SU command security Suggestions     - Android start automatically and add and delete a desktop shortcut (Programming)

- Ubuntu Froxlor Server Administration panel installation (Server)

- Ubuntu 15.04 / CentOS 7.0 to set custom boot (Linux)

- Embedded Linux to solve the problem in the time zone (Linux)

- Android using SVG vector graphics to create cool animation effects (Programming)

- PHP loop reference caused strange problems (Programming)

- Linux kernel likely and unlikely to resolve macro definitions (Linux)

- ARM assembler instruction debugging method (Programming)

- RPM package management tools under Linux (Linux)

- Linux directory permissions to read and execute permissions difference (Linux)

- Depth understanding of DB2 table space (Tablespace) (Database)

- 10 useful tools for Linux users (Linux)

- Virtualization and IT cooperation (Linux)

- How to configure Proftpd server on Fedora 22 (Server)

- Django how to generate content in non-HTML formats (Programming)

- 30 Practical Linux system administrators will learn the command (Linux)

- Linux Disk and File Management (Linux)

- Do you know how to build the Linux kernel (Programming)

- Node.js Getting the basics: Helloworld! (Linux)

- The default permissions for files and directories under Linux computing (Linux)

 
         
  Linux SU command security Suggestions
     
  Add Date : 2017-01-08      
         
       
         
  First we look at the man pages for Linux su explained in su -. Run a shell with substitute user and group IDs, that is to say we do not provide the user via su and group names can start a shell program is a binary executable su file, the file path where the command is / bin / su, the following command line query by file type su and the path where:

Example One:
islab $ which su
/ Bin / su
Example Two:
islab $ file / bin / su
/ Bin / su: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), for GNU / Linux 2.6.9, stripped
Example 3:
islab $ ll / bin / su
-rwsr-xr-x 1 root root 24060 Jan 10 2007 / bin / su
Example Three Example II, we can see that su is a setuid program (setuid bit can use the chmod u + s set, such as ls displays the file owner attribute hired a su setuid bit), in this case, su can be obtained higher authority than its owner, that is to say, when running su, your access will be improved, will be equivalent with root privileges.
Example Three, we can see that the file type is ELF 32-bit LSB shared object (the setuid bit), that this program needs to libc library, which requires the use of the ELF interpreter, and comply with the LSB specification.

Q. One: Ordinary users can copy from other machines su command.

A: They can copy from other machines su command, but they will not be able to set permissions correctly su such as chown root and chmod u + s and so it can be copied su does not work properly.

Q 2: How to prevent ordinary users to run su command.

answer:
1) You can set up a special group, only the group members can execute su command
islab # groupadd wheel
islab # useradd wheel
islab # chown root: mysql / bin / bash
islab # chmod 4750 / bin / su

2) Only the root user can execute su command.
islab # chmod 4700 / bin / su

3) By pam library to achieve only wheel group members can execute su command, the following example adds zhaoke account to wheel group.

islab # groupadd wheel
islab # useradd wheel
islab # usermod -G wheel zhaoke
islab # ll /lib/security/pam_wheel.so
-rwxr-xr-x 1 root root 5692 Feb 22 2007 /lib/security/pam_wheel.so
islab # vi /etc/pam.d/su

Add the following line

auth required /lib/security/pam_wheel.so use_uid

Exit su and then save the configuration file.

Q. Three: While the average user can not execute su command, but may also be obtained through the root password brute-force attack

A: normal users can shell or ssh brute force way to attack the root account, we can consider using some security tools such as pam_abl to ssh to protect pam_abl will be able to set time for the wrong login account temporarily ban Of course ordinary users can also program vulnerabilities elevated privileges through, such as a buffer overflow.
     
         
       
         
  More:      
 
- Ubuntu install Wireshark (Linux)
- Linux Command Tutorial: Ubuntu apt-get command (Linux)
- Linux kernel IPv6 protocol closed manner (Linux)
- systemctl Command Complete Guide (Linux)
- How to use the ps command to monitor progress in the implementation of Linux commands (Linux)
- RHEL7 system making use of OpenStack mirror (Linux)
- Android components save state series - Activity (Programming)
- Python type way of comparison (Programming)
- Mistakenly deleted redo log file group being given the lead to start the database ORA-03113 (Database)
- File easier to compare tools under Linux (Linux)
- Shutdown - an advanced shutdown artifact (Linux)
- Copy and paste in Linux terminal and Vim (Linux)
- Linux ps command (Linux)
- Nodejs command-line program development tutorial (Programming)
- How to install OpenOffice Ubuntu or Linux Mint (Linux)
- Linux system security settings after installation (Linux)
- PostgreSQL transaction model introduction (Database)
- Let Git variety of colors and custom log format output (Linux)
- Changes in C # asynchronous programming model (Programming)
- Java reflection by calling the class method (Programming)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.