Controlling su access with sugroups

Using sugroups
Skill Level: Introductory David H. Tansley (david.tansley@btinternet.com) Systems Administrator Ace Europe

28 Sep 2010 Using sugroups allows system administrators to restrict access on who can su to what account, even if the users know the password, by grouping users into sugroups. Using sugroups allows system administrators to restrict access by group members on who can su to what account. Using the NOT operator, further restriction can be placed on access control. Reporting on who is a member of what sugroup, and what accounts they can su to, needs to be identified for auditing purposes. This involves generating a report on sugroup member access and is generally considered a compliance task.

Sugroup overview
System administrators who provide su access to a user gives the ability for a user to switch or substitute to another user without logging out from their current account. Typically, su accounts are setup so that a user can temporarily switch to another account, for example the root user or an application owner. However, as application support grows so does the maintenance overhead on administrating the system. Using sugroups makes the management of su permissions more manageable, as you are dealing with groups instead of lots of individual users. Using sugroups allows system administrators to group certain users and give them the ability to su to different accounts. The actual su access is controlled by being a member of a certain AIX® group. When a user is created, you can specify a sugroup as part of the users attributes; only members of this group are allowed to su to that
Controlling su access with sugroups © Copyright IBM Corporation 2010. All rights reserved. Trademarks Page 1 of 12

All rights reserved. Having stated the previous. when using sugroups. Within AIX®. This means any group can su to that user. use the following code: # lsuser -a sugroups pinky pinky sugroups=wasgrp. since they do not belong to the correct sugroup. This list could be quite long depending on the amount of users configured on the system: # lsuser -a sugroups ALL When a user is created and no sugroup is specified. the word "ALL" is a reserved word and means all groups. This is discussed later. but do not belong to the sugroup specified. there are a couple of commands that will be useful. located in: /etc/security/user: # lsuser -a sugroups ALL|grep -v ALL To list a single user with its sugroups attributes. In that case. use 'grep -v' to list all users with sugroups that do not have the default ALL attribute set. Controlling su access with sugroups © Copyright IBM Corporation 2010. in this case user pinky. we can see that user pinky has sugroups of wasgrp and websp. To filter out the default ALL. Trademarks Page 2 of 12 .websp In the above output. will not be able to su to the said user. Replace ALL with your default sugroup on your system.com/developerWorks user. AIX defaults to ALL. Of course the user su-ing needs to know the password to su successfully.developerWorks® ibm. Other users who know the password of the user. it may not be the security policy of some systems to divulge passwords to other users. They are: • lsuser • lsgroup In the following example. Commands to know To determine what sugroups are in place. the lsuser command is used to output all sugroups of all users. one can use sudo.

com/developerWorks developerWorks® To then list the members of the sugroups wasgrp and websp. use the following code: # lsgroup -a users wasgrp admin users=dxtans. and the members of those groups who are allowed to su to user pinky are: dxtans. So we now know that user pinky has sugroups of wasgrp and websp. has the ability to su to the account of dxtans provided they know user dxtans password.dcand You can use the grep utility to search the system user attribute defaults in the file. Now let's change the sugroups attribute to only include the group smoke: # chuser sugroups=smoke dxtans # lsuser -a sugroups dxtans dxtans sugroups=smoke Controlling su access with sugroups © Copyright IBM Corporation 2010.pxcon.jgena. one of the following will extract just the default stanza : grep -p "default:" /etc/security/user grep -v ^"*" /etc/security/user| grep -p "default:" Or better still just grep for the sugroups in the defaults stanza: # grep -p "default:" /etc/security/user| grep sugroups sugroups = ALL Using sugroups Let's look at an example of how a sugroup is implemented. # lsuser -a sugroups dxtans dxtans sugroups=ALL We can see from the previous output that the sugroup attributes is set to ALL. All rights reserved.jgena # lsgroup -a users websp admin users=dcand. Depending on the placement of comments in the file. Trademarks Page 3 of 12 .pxcon. That means any user.ibm. or any group member.

Trademarks Page 4 of 12 . access is granted: $ whoami papa $ su . Controlling su access with sugroups © Copyright IBM Corporation 2010. A plus sign indicates a successful su attempt occurred from user papa to user dxtans. Now if user papa tries to su to dxtans account and the password is known. at least create one sugroup to manage the su to the root account. then check that the destination user does not have unsuccessful login attempts breeched. we only have one member: papa # lsgroup -a users smoke smoke users=papa If another user who is not a member of group smoke tries to su. and you are sure that the authentication via sugroups or su is correct. Perhaps the password has expired. we have two entries.developerWorks® ibm. or an initial password has not been set. this is what happens: $ whoami bravo $ su – dxtans dxtans's Password: 3004-307 You are not allowed to su to this account.dxtans dxtans's Password: $ id uid=203(dxtans) gid=1(staff) Attempts of su access are logged to /var/adm/sulog. Even if you do not buy into the use of sugroups.com/developerWorks Looking at the members of group smoke. A minus sign indicates a failed su attempt occurred from user bravo to user dxtans: $ tail /var/adm/sulog SU 04/17 19:51 + pts/1 papa-dxtans SU 04/17 19:52 .pts/1 bravo-dxtans If a user is trying to su to another user and is getting an 'Account is not accessible' message. 3004-501 Cannot su to "dxtans" : Account is not accessible. Using the previous demonstration of the su attempts. All rights reserved. A must have sugroup on any system Hopefully thus far I have convinced you why creating sugroups is more attractive than creating lots of individual su permissions.

For example.peter. Trademarks Page 5 of 12 .jane Give user root sugroup of sysadmin: # chuser sugroups=sysadmin root # lsuser -a sugroups root root sugroups=sysadmin Only members of sysadmin can now su to root.peter. All rights reserved.jane" sysadmin Confirm group members: # lsgroup -a users sysadmin sysadmin users=john. system administrators login in as themselves then su to root.jane: # mkgroup -A users="john. We could create a group called none with no members: # mkgroup -A none Controlling su access with sugroups © Copyright IBM Corporation 2010.peter. I will now demonstrate how the following users (who are system administrators) will only be allowed to su to root.peter. using root to ssh across systems can be desirable when dealing with updates and file/script roll-out. Initial denial There may be occasions when you create a new user on a system that you want to forbid access from anyone being able to su to this user. when using ssh. Create the group with members john. we'll call it sysadmin. Due to the sensitive nature of the users environment. Having stated this. It is good practice for root to only be allowed to ssh out from deployment servers. Then you can use that group (name) as a sugroup attribute to that user. The root user should not be allowed to login directly via telnet. The user root should only be allowed to login via direct console. Only members of this group are allowed to su to root.com/developerWorks developerWorks® Typically. The users are: john.ibm. whose members are listed above. suppose we had a user called brown. One way to do this is to create a group that has no members. no one should be able to su to that account (except root).jane The first task is to create a group.

If you want to make it a more permanent feature. the group names that have the NOT operator before the group name will be denied access to su to that account. So. unless you change the default sugroups value. by default they will have that sugroup set (no one can su to that user). If the users sugroups entry is then amended via smit or chuser. Within the default stanza in the sugroups entry. and you try and use this non-existent group name value. when creating a new user.com/developerWorks # lsgroup -a users none none users= Then change the users account sugroups attribute to include that group: # chuser sugroups=none brown # lsuser -a sugroups brown brown sugroups=none As no one belongs to the group none. no normal user can su to the account of user brown. it will check /etc/group and the command will fail. Normal restrictions apply though with regards to name length and valid characters. Please note.developerWorks® ibm. All rights reserved. The format for the rule is: !<group_name > By enforcing this rule in the sugroups attribute. and it is to be used as a sugroup. Trademarks Page 6 of 12 . put in that group just created: sugroups = none You can put any name in the default stanza of the sugroups entry. you can specify by groups who are denied the ability to su to certain users. Now when all new users are created. Sugroup restriction As previously stated. "Why?" For ordinary users. you could edit the /etc/security/user file. all users will use that default (which is ALL). That may beg the question. Then one can gradually lift the security of that user as your security policy demands. all users that already have their sugroups set to ALL (the default) will now have 'none' as their sugroups attribute. To further restrict sugroups access AIX provides the NOT operator '!'. You can also use this method by temporary restricting certain groups. AIX will pull in this value without checking in /etc/group that the group name is actually valid. This provides greater flexibility in su Controlling su access with sugroups © Copyright IBM Corporation 2010.

com/developerWorks developerWorks® management by not creating many groups to control or satisfy access to different accounts. the members are: alpha. who is not a member of the restricted group sun.ALL" charlie Note in the above command the order of the NOT operator. The following commands list the sugroups and group attributes of the users discussed: alpha.bravo So. we would use the following command: # chuser sugroups="!sun. but deny access to the members of the group sun. charlie # lsuser -a sugroups groups alpha alpha sugroups=ALL groups=staff. Trademarks Page 7 of 12 .fire. we first deny then allow.mobgrp As user delta: $ id Controlling su access with sugroups © Copyright IBM Corporation 2010. All rights reserved. From the output of the following lsgroup.ALL groups=staff Now if user delta.sun # lsuser -a sugroups groups bravo bravo sugroups=ALL groups=staff.bravo To allow all users the ability to su to user charlie.water. Suppose we had a group called sun.ibm. the authentication will succeed: # lsuser -a sugroups groups delta delta sugroups=ALL groups=staff. bravo. attempts to su to user charlie and knows the password. Let's look at an example at how sugroups using the NOT operator might be effective. we can determine the users of the group: # lsgroup -a users sun sun users=alpha.sun # lsuser -a sugroups groups charlie charlie sugroups=!sun.

All rights reserved. he will be denied access.echoa.kilo # lsgroup -a users cloud cloud users=hotel.charlie charlie's Password: 3004-307 You are not allowed to su to this account.golf. Let's look at another example of why we might use the NOT operator.earth" ukflag # lsuser -a sugroups ukflag ukflag sugroups=!fire.kilo.india. and then confirm the change: # chuser sugroups="!fire. Suppose we had an account called ukflag.india. tries to su to the user charlie. Controlling su access with sugroups © Copyright IBM Corporation 2010.developerWorks® ibm.207(fire).hotel. As user alpha: $ id uid=209(alpha) gid=1(staff) groups=214(sun) $ su .juliet.india From the lsgroup output we now know that the following user will only be allowed to su to the ukflag account: zulu.juliet.com/developerWorks uid=220(delta) gid=1(staff) groups=206(water). First change the user ukflag sugroups attributes.!cloud. who is a member of the restricted group sun.echoa.!cloud.golf. Also from the lsgroup output. # lsgroup -a users fire fire users=plutt. whom we are going to restrict su access to user ukflag. 3004-501 Cannot su to "charlie" : Account is not accessible.hotel.charlie charlie's Password: $ id uid=211(charlie) gid=1(staff) If user alpha. we know the following users will be denied access to su to the ukflag account: plutt. Trademarks Page 8 of 12 . We do not want users whom belong to the groups fire and cloud being able to su to user ukflag.earth Members of group earth are going to be allowed su access to user: ukflag # lsgroup -a users earth earth users=zulu Let's now see who belongs to the groups cloud and fire.215(mobgrp) $ su . only members of earth should be allowed.

from the account of user plutt.207(fire) $ su . they need to gain access to the production environment account: ukflag. a member of the earth group: $ id uid=228(zulu) gid=1(staff) groups=209(earth) $ su . a member of the fire group: $ id uid=230(plutt) gid=1(staff) groups=206(water). Using sudo.ibm.ukflag ukflag's Password: $ As demonstrated. Simply edit the /etc/sudoers file and put in the following entry. 3004-501 Cannot su to "ukflag" : Account is not accessible. This could particularly be the case for application accounts. And from user zulu.ukflag ukflag's Password: 3004-307 You are not allowed to su to this account. whom all belong to the group app_supp.bravo. All rights reserved. Trademarks Page 9 of 12 .charlie. replacing rs6000 with your hostname: %app_supp rs6000 = NOPASSWD:/usr/bin/su – ukflag Check group members: # lsgroup -a users app_supp app_supp users=alpha. when support users need to gain access to resolve an issue.com/developerWorks developerWorks® This can now be demonstrated. Imagine we have support users alpha. As part of their responsibility. it may not be appropriate to allow other users to know the password of an account that they are allowed to su to. using the NOT operator allows fine tuning of access to user accounts via sugroups the ability to su. Password not required When providing su access.charlie Check the user can su via sudo to the account ukflag: Controlling su access with sugroups © Copyright IBM Corporation 2010. bravo. one can let these users gain authorized access without knowing the password that are allowed to su to.

It could be advantageous to create a script that generates a snapshot of the sugroups and members.ukflag $ sudo -u root su . I present a script that will give an overview of the sugroups in place. it displays all users who do not have ALL as part of their sugroup attribute. it can sometimes become time consuming to review all your sugroups access you have in place.plflag Reporting on sugroups When using sugroups. Then. su_rep1 #!/bin/sh # su_rep1 list=$(cat /etc/passwd| awk -F: '{print $1}' | sort) echo "user su groups *(Denied su access) =========================================" # # display user and sugroups for loop in $list do sugrp=$(lsuser -a sugroups $loop | sed s/ALL//g | awk -F= '{print $2}'|sed 's/. It was originally two scripts.ukflag $ whoami ukflag You can have many su entries in sudo. /usr/bin/su – ieflag. especially when dealing with many systems. but I have merged them for this demonstration into one script. like so: %app_supp rs6000 = NOPASSWD:/usr/bin/su – ukflag. Listing 1. Trademarks Page 10 of 12 . The second part of the script will display each sugroup and its respective members. it list the user and the sugroups of that user.com/developerWorks $ whoami alpha $ sudo -l User alpha may run the following commands on this host: (root) NOPASSWD: /usr/bin/su . In Listing 1./ /g') if [ "$sugrp" != "" ] then sugrp=$(echo $sugrp|sed 's/!/*/g') printf "%-10s %-40s\n" "$loop" "$sugrp" fi done # # list sugroups and members echo "\nsugroup sugroup members ==========================" sugrp_list=$(lsuser -a sugroups ALL| sed s/ALL//g | awk -F= '{print $2}'| tr " " "\n" \ Controlling su access with sugroups © Copyright IBM Corporation 2010. The script builds on the commands used in the section "Commands to know. just be sure to separate each su entry with comma. All rights reserved." When the script is executed. /usr/bin/su .developerWorks® ibm.

Trademarks Page 11 of 12 .plutt syb wwpdpga1. on my system similar output to the following is produced: user su groups *(Denied su access) ========================================= charlie *sun dxtans smoke papa syb root admin sysadmin ukflag *fire *cloud earth xray water earth *smoke zulu fire sugroup sugroup members ========================== admin dxtans sysadmin john.spoll Conclusion Using sugroups enables system administrators to control access to individual user accounts by group membership.echoa. All rights reserved. Sugroups provides one method of implementing and managing the security policy on your systems. A script has also been provided to display sugroup access.No Members --" fi printf "%-10s %-40s\n" "$loop" "$sugrp_list" done When su_rep1 contained in Listing 1 is executed.wwpdclt2.echoa.hotel.ibm. This article has demonstrated how sugroups can be implemented.golf.peter. system accounts. Controlling su access with sugroups © Copyright IBM Corporation 2010. you will have to prove to the auditor access control between normal and application.india.kilo.india.bravo water delta.plutt earth zulu fire delta.jane smoke papa sun alpha.com/developerWorks developerWorks® |sed 's/./ /g' | sed 's/!//g'|tr " " "\n" |awk '!array [$0]++') for loop in $sugrp_list do sugrp_list=$(lsgroup -a users $loop | awk -F= '{print $2}') if [ "$sugrp_list" = "" ] then sugrp_list=" -.golf.ukflag cloud hotel. When being audited.juliet. and how the sugroup policy is being monitored.

Tansley David Tansley is a freelance writer. but nothing beats riding and touring on his GSA motorbike with his wife. • Get involved in the My developerWorks community. He has 15 years experience as a UNIX administrator. • Participate in the AIX and UNIX® forums: • AIX Forum • AIX Forum for developers • Cluster Systems Management • IBM Support Assistant Forum • Performance Tools Forum • Virtualization Forum • More AIX and UNIX Forums About the author David H. All rights reserved.com/developerWorks Resources Learn • For additional information see the su and chuser manpages. Trademarks Page 12 of 12 .developerWorks® ibm. Controlling su access with sugroups © Copyright IBM Corporation 2010. He enjoys playing badminton then relaxing watching Formula 1. using AIX the last eight years. Discuss • Follow developerWorks on Twitter.

Sign up to vote on this title
UsefulNot useful