netnews@netcom.UUCP (USENET Administration) (09/21/90)
We can't seem to use /bin/su for anything more than su-ing to root. Can't su to any other uid (it asks for a password, but always fails, as if the password were wrong). Is this typical of C2 security? Any way around it? -- netcom!news Usenet News
rvdp@cs.vu.nl (Ronald van der Pol) (09/22/90)
netnews@netcom.UUCP (USENET Administration) writes: >We can't seem to use /bin/su for anything more than su-ing to root. >Can't su to any other uid (it asks for a password, but always fails, >as if the password were wrong). Is this typical of C2 security? Any way >around it? No, a user can only su to root and only if you explicitly give him/her that 'privilage'. Just like nobody is allowed to run login (even root!!). Don't expect SCO Unix to behave like a normal (BSD/sysV) Unix system. There are far too many ridiuculous "features". -- Ronald van der Pol <rvdp@cs.vu.nl>
davidsen@sixhub.UUCP (Wm E. Davidsen Jr) (09/22/90)
In article <13538@netcom.UUCP> netnews@netcom.UUCP (USENET Administration) writes: | We can't seem to use /bin/su for anything more than su-ing to root. | Can't su to any other uid (it asks for a password, but always fails, | as if the password were wrong). Is this typical of C2 security? Any way | around it? I think there's something in admin which gets by this, but it's definitely C2ish. I can live better with too much security than too little. -- bill davidsen - davidsen@sixhub.uucp (uunet!crdgw1!sixhub!davidsen) sysop *IX BBS and Public Access UNIX moderator of comp.binaries.ibm.pc and 80386 mailing list "Stupidity, like virtue, is its own reward" -me
rickf@pmafire.UUCP (rick furniss) (09/23/90)
Individual type users cannot su to other individual accounts.
To have a user be able to su to another account do the following:
Make sure the user has the su authorization,
user must be created as an operator, administrator, or other TYPE
user that is allowed to su to individual user accounts.
OR
You must create the account to be su'd to as a TYPE user other than
individual, and then allow the other user as the su login user for that
account. Play around with it, you,ll get it figured out.
TYPE users are superuser,operator,administrator,security,&psuedo, &
individual.
To see how this all works, create a new user, without using the defaults
I personally purchased SCO Unix partially because it had C2 myself.
Its part of the future of computing, just as well get use to it.
Too many years people, bussiness's have cried for security, now they are
starting to get it.
Its too bad you cannot relax it to no security, for those who really
want to leave thier systems open.
Rick Furniss
rlf@inel.govrad@genco.uucp (Bob Daniel) (09/27/90)
In article <1990Sep23.062734.16935@pmafire.UUCP> rickf@pmafire.UUCP (rick furniss) writes: > I personally purchased SCO Unix partially because it had C2 myself. > Its part of the future of computing, just as well get use to it. > Too many years people, bussiness's have cried for security, now they are >starting to get it. > Its too bad you cannot relax it to no security, for those who really >want to leave thier systems open. It is possible to 'relax' 3.2.2 to almost no scurity under sysadmsh security. There is a 'relax' option. It is extrememly relaxed though... If you do this, it is possible to login as 'root' over a modem.
rhealey@digibd.com (Rob Healey) (09/27/90)
In article <1943@sixhub.UUCP> davidsen@sixhub.UUCP (bill davidsen) writes: >In article <13538@netcom.UUCP> netnews@netcom.UUCP (USENET Administration) writes: >| We can't seem to use /bin/su for anything more than su-ing to root. >| Can't su to any other uid (it asks for a password, but always fails, >| as if the password were wrong). Is this typical of C2 security? Any way >| around it? > Not sure if this will help but try changing the u_secclass=c2 to u_secclass=d in /etc/auth/system/default file and rebooting. Might help SCO UNIX to lighten up a bit... -Rob Speaking for self, not company.