Exam Objective 4.3: Perform system security by switching users on a system, and by becoming root and monitoring su attempts.
Let's now address what seems to be a prevalent confusion among beginners. That confusion relates to the relationship between the command su and the terms switching user and superuser. Read my lips—Becoming superuser and switching user (su) are not the same thing. Superuser denotes the administrative account, normally the root account. We use the terms Superuser and root interchangeably in this book, just as those terms are used in the field. However, remember that the command su refers to switching user, and as you will see, you can use this command to switch to any user and not just the root.
You must be logged in as root (that is, superuser) to perform several system administrative tasks, such as security administration. While logged on to a system and doing security administration, you may need to jump from account to account. One way of doing so is to log out from the current account that you are logged into and log in to the other account. An alternative and more efficient method is to use the su command, which allows you to switch from one account to another without logging out. If you are not logged in as root when you issue the su command, you need to give the password for the account you are switching to.
If you are logged in as a root user, you can switch to other users using the su command, and you will not be asked for a password. If you are not logged in as root, you will be asked for a password when you want to switch to another account.
Furthermore, when you are logged in as root, the prompt turns to # (pound sign). Following is the syntax for the su command:
su [-] [<username> [<arg>...]]
For example, the following command will switch you to the sys account while retaining your current environment:
su sys
The following command will switch you to the bin account and will also switch the environment to what it would be if you were originally logged in as bin:
su — bin
The superuser access to the system is necessary for performing system administration tasks. But it is also the most dangerous access when an intruder succeeds in getting it. Therefore, it is essential to monitor superuser access attempts to the system, which we discuss next.
Given all the administrative capabilities a superuser has, monitoring superuser access to a Solaris system is very important from a security perspective. The monitoring can be performed in two ways: observing the accesses, and restricting them.
On the Job | The root account is created by the system during installation as a superuser account. However, any account that has a UID of 0 will assume the capabilities of a superuser. |
The system lists all the uses of the su command in the following file:
/var/adm/sulog
Remember, all attempts to switch users, not just the attempts to switch to superuser, are recorded in the sulog file. The entries in the sulog file look like the following:
SU 01/23 15:23 - pts/0 jkerry-root MO 01/24 11:39 + pts/0 gbush-jkerry TU 01/25 10:49 + pts/0 root-jkerry
The columns in the output mean the following:
The first three columns indicate the time at which the attempt was made.
The fourth column contains a minus sign (-) if the attempt was unsuccessful and a plus sign ( + ) if the attempt was successful.
The fifth column lists the port from which the attempt was made.
The sixth column lists the name of the original user and the switched identity.
Before the system starts logging the usage of the su commands into the sulog file, you need to set it up by editing the following file:
/etc/default/su
Uncomment the following entry in this file:
SULOG=/var/adm/sulog
Save the sulog file. You have just told the system in which file to log the su usage attempts, Of course, you have to be a superuser to perform this exercise.
In addition to logging the superuser access, you can also restrict it, which we discuss next.
You can also prevent users from having a superuser access to the system remotely. If the system is set up for this, you can log in as a superuser only from the system console. In order to set up your system for this, edit the following file:
/etc/default/login
Uncomment the following line in this file:
CONSOLE=/dev/console
Remember that no value for the CONSOLE variable means no remote login for the root. Of course, you have to be a superuser to perform this exercise. All that means is that you cannot log in directly as a superuser from a remote machine. However, you can still log in as another user and then use the su command to switch to superuser. Note that when you install Solaris 10, remote superuser access is prevented by default.
Exericse 7-2: Becoming a Superuser
Log in as a non-root user.
Become the superuser by issuing the following command:
% su Password: <root-password> #
Now, switch to another user account by issuing the su command. Did it ask for a password?
If your system runs an ftp server, the remote users can access your system by logging on to the ftp server. This may also raise security issues which we discuss next.