1

I want users to be able to use "sudo su -", but not to switch user by password.

What are the most optimal permissions for /bin/su?

Right now it's:

-rwsr-xr-x. 1 root root 42436 Jul 26 18:19 /bin/su

I was thinking about changing this to 700, is this a bad idea?

ujjain
  • 3,983
  • 16
  • 53
  • 91

1 Answers1

4

Yes, this is a bad idea. You don't need sudo su -, teach your users to do sudo -i instead. Which means you then don't need su and can set up your pam configuration to only allow root to use su.

Mucking about with the filesystem permissions of /bin/su is then no longer needed, which is good, because any upgrade of su would restore them to their defaults.

Dennis Kaarsemaker
  • 19,277
  • 2
  • 44
  • 70
  • interesting the --login (-i) option for su, but it fails on a ipa/Idm environment whereas the sudo su - trick works, I cannot post the whole thing (too little room in a comment, but I get a generic krb5 error). My user has sudo root rights (nopasswd) – natxo asenjo Dec 24 '13 at 14:50
  • @natxoasenjo That sounds like a separate question. – Michael Hampton Dec 24 '13 at 15:36