Preventing normal users from using the su command

I was asked how to force normal users to use the sudo command and to never allow them use the su command.  The reason given was for auditing purposes.  The sudo command logs “who” and “what”, whereas the su command does not.

Here is one solution to the problem.  Remove the execute permissions for group others.


$ sudo chmod o-x /bin/su

Now create a rule in /etc/sudoers to handle a case where a user, identified by the username thomas, might try to run “sudo su”.


Cmnd_Alias SU = /bin/su

thomas ALL=(ALL) !SU

 

Advertisements

dumpe2fs/tune2fs: Manipulating the ext fs auto-check parameters

File-system checks are a good and necessary thing.  So I don’t wish to debate their appropriateness.  I just want to show you how to avoid them by manipulating the counters stored in the superblock of your ext3 and ext4 file-systems.   There are many setttings stored in your file-system’s superblock.  The ones that I a’m concerned with today are:

  • Mount count – Number of times the file system has been mounted
  • Maximum mount count – When this value is reached force a file-system check at boot
  • Last checked – Date of the last file-system check
  • Check interval – How often should file-system checks be done
  • Next check after – Based on the current Check interval when will the next forced file-system check occur.

You can display these values using dumpe2fs.  I have an ext4 file-system on a device named /dev/md0.

$sudo dumpe2fs -h /dev/md0 | egrep -i 'mount count|check'
dumpe2fs 1.41.9 (22-Aug-2009)
Mount count:              7
Maximum mount count:      29
Last checked:             Sat May  8 17:58:12 2010
Check interval:           15552000 (6 months)
Next check after:         Thu Nov  4 17:58:12 2010

I have used dumpe2fs a few times to check whether or not I can expect a lengthy file-system check pending on my next reboot.

Lets set the “Last checked” date to now.  In other words lets make it appear as though we have already completed a successful file-system check.

$sudo tune2fs -T now /dev/md0

Lets verify the results.  The “Next check” has now been pushed out to April.

$ sudo dumpe2fs -h /dev/md0 | egrep -i 'check'
dumpe2fs 1.41.9 (22-Aug-2009)
Last checked:             Sun Oct 24 12:20:43 2010
Check interval:           15552000 (6 months)
Next check after:         Fri Apr 22 12:20:43 2011

Similarly if you want to set the “Mount count” to a particular value (such as 6)

$sudo tune2fs -C 6 /dev/md0

To change the time based check interval to 3 months (90 days), use the -i option.

$sudo tune2fs -i 90d /dev/md0

If you have used tune2fs in an interesting way, post a comment and let me know.