Previous Topic: Set Basic User Substitution RulesNext Topic: Prevent Users from Running the System's su Utility


Replace the System's su Utility with the CA ControlMinder sesu Utility

By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.

To replace the system's su utility with the CA ControlMinder sesu utility

Note: You need to be root or another authorized user to perform the following steps.

  1. Permit users to run the sesu utility using the following command:
    chmod +s /opt/CA/AccessControl/bin/sesu
    
  2. Find out the location of the system's su utility using the following command:
    which su
    
  3. Rename the system's su utility using the following command:
    mv su_dir/su su_dir/su.ORIG
    

    where su_dir is the directory where su resides.

  4. Link the sesu utility to the su command:
    ln -s /opt/CA/AccessControl/bin/sesu su_dir/su
    

    This lets users continue to use the su command, although it now runs the sesu utility.

  5. Stop CA ControlMinder using the following command:
    secons -s
    
  6. Modify CA ControlMinder configuration settings using the following commands:
    seini -s sesu.SystemSu su_dir/su.ORIG
    seini -s sesu.UseInvokerPassword yes
    

    The token SystemSu is set so that sesu can call the original system su utility if CA ControlMinder is not running.

    The token UseInvokerPassword is set to tell CA ControlMinder to prompt the user for their original password instead of root's password or another user's password. The user needs to re-authenticate before the user substitution is permitted.

  7. Reload CA ControlMinder using the following command:
    seload