Endpoint Administration Guide for UNIXProtecting AccountsSafe User SubstitutionHow to Set Up sesu for User Substitution › Prevent Users from Running the System's su Utility

Previous Topic: Replace the System's su Utility with the CA Access Control sesu Utility

Next Topic: Setting Up the Surrogate DO Facility
Prevent Users from Running the System's su Utility

Although the sesu utility is configured, anyone can run su.ORIG (the renamed system su utility), as before, with root's or a user's password. To prevent this, use the PROGRAM class to explicitly prevent su.ORIG execution when CA Access Control is running.

Note: If you used seuidpgm during CA Access Control installation and configuration, you do not need to follow this procedure. su will not run as it has been modified (renamed to su.ORIG).

To prevent users from running the system's su utility

  1. In selang, set CA Access Control to monitor the renamed su utility, using the following command: 
    nr program su_dir/su.ORIG defacc(x) own(nobody)
  2. Logged in as root, change file access and modification time, using the following command: 
    touch su_dir/su.ORIG

    CA Access Control is watching su.ORIG and, because the file has been touched, will prevent it from being executed.