su

The command “su” stands for “switch user”. And it does just that, it switches users.

When it used without parameters, we are specifying to switch to the user root. However, we can use the su command to switch shell to any user account that we know the password of. In the first example, we are logged in as the user Bob and we are switching to user Pat.

[Bob@host Bob]$ su Pat

Password:

[ali@esx1host kevin]

In this second example, we are switching from being logged on as a user called Bob to being logged on as root. Notice to switch to root, we don’t need to specify a username.

[Bob@host Bob]$ su -

Password:

[root@host root]#

If we restrict the built-in user account root from logging in over the SSH protocol, then we are forcing remote users to authenticate as themselves and then su to run privileged commands if need be, thus leaving a decent audit trail. The downside being that those users would still know the root account password.

If you would like to restrict the use of the su command, then we can limit it to the members of a specific group called wheel. This group is defined in the /etc/group file by default and it’s membership can be modified by root. In order to limit su to the wheel group members we need to modify a configuration file called /etc/pam.d/su

There is a single line in this file that needs to be uncommented to limit the use of su. The line is shown below as it appears it that file, all that is required is the removal of the # symbol at the start of the line.

#auth required /lib/security/$ISA/pam_wheel.so user_uid

The attempts to switch to the root account are logged in /var/log/messages.

sudo

The downside of the su command is that the operators who elevate their privilege to root are now root. They have full privilege, they know the root password, there is no granularity of delegation of privilege.

Allows delegation of administration in terms of certain commands that normally only a particular user can execute (usually root). So if the user Pat had been given the authority to run vmkfstools, then sudo would be used like:

[Pat@host Pat]$ sudo vmkfstools

The vmkfstools command would then run under the security context of the root user. The superb feature of this tool is that the user ali does not need to know or supply the root password to be able to run the delegated command. Further, we keep an audit trail of when sudo was invoked in /var/log/secure.

The sudo tool uses the lookup file /etc/sudoers to determine which users can perform which commands. We do not edit this file with a regular text editor like vi or nano, instead we use the tool visudo.

visudo

This is the vi text editor with extras. When launched, it automatically opens and locks for exclusive edit, the /etc/sudoers file. The point of visudo is to ensure we always edit the right file as the location of the sudoers file differs between nix distributions, but this command is constant and will utilise the right sudoers file for the distribution being used.