Endpoint Administration Guide for UNIX › Protecting Accounts › Safe User Substitution › How to Set Up sesu for User Substitution › Set Basic User Substitution Rules

Set Basic User Substitution Rules

Before you start using the sesu utility, you should set up some common user substitution rules in the database. These rules prevent unknown users undesirably substituting privileged user accounts, but permit specific users and processes to perform necessary user substitution activities.

To set basic user substitution rules

1. Create a surrogate resource for the root user (USER.root) with the following attributes:
   • nobody as owner
   • Default access none
   • All administrators should have full control

   This prevents all users from substituting root, unless explicitly authorized. All administrators are explicitly authorized to substitute root.

   Note: You can authorize individual administrators separately or authorize all administrators using the administrator's group.

2. Create a surrogate resource for root's group (GROUP.other) with the following attributes:
   • nobody as owner
   • default access of none
   • All administrators should have full control

   This prevents all users from substituting root's group, unless explicitly authorized. All administrators are explicitly authorized to substitute root's group.

   Note: On most UNIX systems root's group is either other or sys.

3. Change the user substitution rules for USER._default as follows:
   • nobody as owner
   • Default access none
   • Authorize root to substitute to any undefined user
   • Authorize the administrators' group to substitute to any undefined user

   This prevents all users from substituting any group, unless explicitly authorized, and authorizes root and root's group to substitute any user, unless explicitly denied.

   Note: You need to specifically authorize root to permit programs such as dtlogin to switch session ownership from root, the default X window owner (uid=0), to anyone else. If you do not do this, login attempts will fail because CA ControlMinder is blocking any user substitution activity that has not been explicitly authorized.

4. Change the group substitution rules for GROUP._default as follows:
   • nobody as owner
   • Default access none
   • Authorize root to substitute any undefined groups
   • Authorize the administrators' group to substitute to any undefined group

   This prevents all users from substituting any group, unless explicitly authorized, and authorizes root and root's group to substitute any group, unless explicitly denied.

Example: Set Basic User Substitution Rules in selang

Use the following selang commands to set basic user substitution rules in your environment:

nr surrogate USER.root defacc(n) own(nobody)
auth surrogate USER.root gid(sys_admin_GID) acc(a)
nr surrogate GROUP.other defacc(n) own(nobody)
auth surrogate GROUP.other gid(sys_admin_GID) acc(a)
cr surrogate USER._default defacc(n) own(nobody)
cr surrogate GROUP._default defacc(n) own(nobody)
auth surrogate USER._default uid(root) acc(a)
auth surrogate GROUP._default uid(root) acc(a)
auth surrogate USER._default gid(sys_admin_GID) acc(a)
auth surrogate GROUP._default gid(sys_admin_GID) acc(a)