Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux SU command security Suggestions     - Openfire Hazelcast cluster Detailed (Server)

- Snapshot DataGuard (Database)

- Ubuntu compiler installation R Full Record (Linux)

- Linux C source code (Ascii HexToBinary: Converts hexadecimal string format ASCII codes) (Programming)

- Python calls the API interface in several ways (Programming)

- Linux cron job (Linux)

- Eclipse, Tomcat configuration JNDI connection Oracle data source example (Server)

- MySQL 5.6.26 source install (Database)

- Linux Shell Scripting Interview Question (Linux)

- Ubuntu Linux installation GAMIT10.6 (Linux)

- xCAT error Unable to dispatch hierarchical sub-command to NORESOLUTION: 3001 (Linux)

- to compile FFmpeg In Ubuntu (Linux)

- Vim plugin installation YouCompleteMe (Linux)

- Python object-oriented programming (Programming)

- MariaDB database storage path modify configuration issues (Database)

- Preps - Print within the specified range of IP addresses (Linux)

- Linux find and xargs (Linux)

- Introduction and bash history command to quickly call (Linux)

- Ubuntu 14.04 install the NVIDIA driver + CUDA + MATLAB (Linux)

- RedHat Linux 6.4 install Oracle 10g error (Database)

  Linux SU command security Suggestions
  Add Date : 2017-01-08      
  First we look at the man pages for Linux su explained in su -. Run a shell with substitute user and group IDs, that is to say we do not provide the user via su and group names can start a shell program is a binary executable su file, the file path where the command is / bin / su, the following command line query by file type su and the path where:

Example One:
islab $ which su
/ Bin / su
Example Two:
islab $ file / bin / su
/ Bin / su: setuid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), for GNU / Linux 2.6.9, stripped
Example 3:
islab $ ll / bin / su
-rwsr-xr-x 1 root root 24060 Jan 10 2007 / bin / su
Example Three Example II, we can see that su is a setuid program (setuid bit can use the chmod u + s set, such as ls displays the file owner attribute hired a su setuid bit), in this case, su can be obtained higher authority than its owner, that is to say, when running su, your access will be improved, will be equivalent with root privileges.
Example Three, we can see that the file type is ELF 32-bit LSB shared object (the setuid bit), that this program needs to libc library, which requires the use of the ELF interpreter, and comply with the LSB specification.

Q. One: Ordinary users can copy from other machines su command.

A: They can copy from other machines su command, but they will not be able to set permissions correctly su such as chown root and chmod u + s and so it can be copied su does not work properly.

Q 2: How to prevent ordinary users to run su command.

1) You can set up a special group, only the group members can execute su command
islab # groupadd wheel
islab # useradd wheel
islab # chown root: mysql / bin / bash
islab # chmod 4750 / bin / su

2) Only the root user can execute su command.
islab # chmod 4700 / bin / su

3) By pam library to achieve only wheel group members can execute su command, the following example adds zhaoke account to wheel group.

islab # groupadd wheel
islab # useradd wheel
islab # usermod -G wheel zhaoke
islab # ll /lib/security/pam_wheel.so
-rwxr-xr-x 1 root root 5692 Feb 22 2007 /lib/security/pam_wheel.so
islab # vi /etc/pam.d/su

Add the following line

auth required /lib/security/pam_wheel.so use_uid

Exit su and then save the configuration file.

Q. Three: While the average user can not execute su command, but may also be obtained through the root password brute-force attack

A: normal users can shell or ssh brute force way to attack the root account, we can consider using some security tools such as pam_abl to ssh to protect pam_abl will be able to set time for the wrong login account temporarily ban Of course ordinary users can also program vulnerabilities elevated privileges through, such as a buffer overflow.
- X security settings in Ubuntu (Linux)
- How to view information about the installed version of CentOS (Linux)
- PL / SQL data types (Database)
- Efficient Linux Shell - Shell special characters Summary (Linux)
- Ubuntu install Wireshark (Linux)
- Docker - for the development and deployment of unified lightweight Linux containers (Linux)
- Ease of use "Explain Shell" script to understand Shell command (Linux)
- Linux common network tools: ping host sweep (Linux)
- How to statistical data of various size Redis (Database)
- RHEL6.4 one key installation Redmine (Linux)
- Linux environment to build next Cocos2dx-3.3.1 (Linux)
- CentOS 6.5 / Linux restart network card being given Determining if ip address x.x.x.x is already in use (Linux)
- MySQL 5.6 master-slave replication configuration (Database)
- To install and deploy Apache under the CentOS (Server)
- PF_RING 6.0.2 compiled and installed on Redhat 6.3 x86_64 (Linux)
- How Datadog monitor Nginx (Server)
- To compile install and test Swift under Linux (Linux)
- Linux performance optimization tools perf top (Linux)
- Linux performance monitoring - CPU, Memory, IO, Network (Linux)
- Install the latest Eclipse IDE in Ubuntu (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.