By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.
To replace the system's su utility with the CA ControlMinder sesu utility
Note: You need to be root or another authorized user to perform the following steps.
chmod +s /opt/CA/AccessControl/bin/sesu
which su
mv su_dir/su su_dir/su.ORIG
where su_dir is the directory where su resides.
ln -s /opt/CA/AccessControl/bin/sesu su_dir/su
This lets users continue to use the su command, although it now runs the sesu utility.
secons -s
seini -s sesu.SystemSu su_dir/su.ORIG seini -s sesu.UseInvokerPassword yes
The token SystemSu is set so that sesu can call the original system su utility if CA ControlMinder is not running.
The token UseInvokerPassword is set to tell CA ControlMinder to prompt the user for their original password instead of root's password or another user's password. The user needs to re-authenticate before the user substitution is permitted.
seload
Copyright © 2013 CA Technologies.
All rights reserved.
|
|