FreeBSD - Tutorials, Security
Home   Archives   Sitemap   About   Contact

How to allow access to su to root on FreeBSD

Home NEW! Unix Forum News 100 Tips and Tricks Website Development Server Operating Systems Databases
 Ivorde.ROarrow Server Operating Systems arrowAdministration GuidesarrowHow to allow access to su to root on FreeBSD 

Article Sections

    Hello, Guest !
User name:
Password:
 
Google

 SSD VPS Hosting - Vpsie.com
 Mo.nitor.me
 Ivorde forum
 FreeBSD Tutorials
 Linux LVM Commands
 Free Shell Accounts
 FreeBSD Project
 FreeBSD Handbook
 Advanced Bash-Scripting Guide
 The OpenBSD Project
 Distrowatch
 FreeBSD Handbook


Apache Webserver Home Page

Posted on: 12 Nov 2007
Author: mandrei
Section: Server Operating Systems | Administration Guides
Views: 1521
Comments: 1 (Add)

How to allow access to su to root on FreeBSD
su -- substitute user identity. The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.

 



If you are Administrator of a FreeBSD system and you want to allow a user access su to root, use pw modgroup wheel -M user where "user" is the user to which you wish to allow this.

 

SU(1) FreeBSD General Commands Manual SU(1)

NAME
su -- substitute user identity

SYNOPSIS
su [-] [-flms] [-c class] [login [args]]

DESCRIPTION
The su utility requests appropriate user credentials via PAM and switches
to that user ID (the default user is the superuser). A shell is then
executed.

PAM is used to set the policy su(1) will use. In particular, by default
only users in the ``wheel'' group can switch to UID 0 (``root''). This
group requirement may be changed by modifying the ``pam_group'' section
of /etc/pam.d/su. See pam_group(8) for details on how to modify this
setting.

By default, the environment is unmodified with the exception of USER,
HOME, and SHELL. HOME and SHELL are set to the target login's default
values. USER is set to the target login, unless the target login has a
user ID of 0, in which case it is unmodified. The invoked shell is the
one belonging to the target login. This is the traditional behavior of
su. Resource limits and session priority applicable to the original
user's login class (see login.conf(5)) are also normally retained unless
the target login has a user ID of 0.

The options are as follows:

-f If the invoked shell is csh(1), this option prevents it from
reading the ``.cshrc'' file.

-l Simulate a full login. The environment is discarded except for
HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified
as above. USER is set to the target login. PATH is set to
``/bin:/usr/bin''. TERM is imported from your current environ-
ment. Environment variables may be set or overridden from the
login class capabilities database according to the class of the
target login. The invoked shell is the target login's, and su
will change directory to the target login's home directory.
Resource limits and session priority are modified to that for the
target account's login class.

- (no letter) The same as -l.

-m Leave the environment unmodified. The invoked shell is your
login shell, and no directory changes are made. As a security
precaution, if the target user's shell is a non-standard shell
(as defined by getusershell(3)) and the caller's real uid is non-
zero, su will fail.

To change the characteristics of a user or group in FreeBSD you can use pw(8).

PW(8) FreeBSD System Manager's Manual PW(8)

NAME
pw -- create, remove, modify & display system users and groups

SYNOPSIS
pw [-V etcdir] useradd [name|uid] [-C config] [-q] [-n name] [-u uid]
[-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
[-m] [-k dir] [-w method] [-s shell] [-o] [-L class] [-h fd | -H fd]
[-N] [-P] [-Y]
pw [-V etcdir] useradd [name|uid] -D [-C config] [-q] [-b dir] [-e days]
[-p days] [-g group] [-G grouplist] [-k dir] [-u min,max] [-i min,max]
[-w method] [-s shell] [-y path]
pw [-V etcdir] userdel [name|uid] [-n name] [-u uid] [-r] [-Y]
pw [-V etcdir] usermod [name|uid] [-C config] [-q] [-n name] [-u uid]
[-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
[-l name] [-m] [-k dir] [-w method] [-s shell] [-L class]
[-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] usershow [name|uid] [-n name] [-u uid] [-F] [-P] [-7] [-a]
pw [-V etcdir] usernext [-C config] [-q]
pw [-V etcdir] groupadd [group|gid] [-C config] [-q] [-n group] [-g gid]
[-M members] [-o] [-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] groupdel [group|gid] [-n name] [-g gid] [-Y]
pw [-V etcdir] groupmod [group|gid] [-C config] [-q] [-n name] [-g gid]
[-l name] [-M members] [-m newmembers] [-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] groupshow [group|gid] [-n name] [-g gid] [-F] [-P] [-a]
pw [-V etcdir] groupnext [-C config] [-q]
pw [-V etcdir] lock [name|uid] [-C config] [-q]
pw [-V etcdir] unlock [name|uid] [-C config] [-q]

DESCRIPTION
The pw utility is a command-line based editor for the system user and
group files, allowing the superuser an easy to use and standardized way
of adding, modifying and removing users and groups. Note that pw only
operates on the local user and group files. NIS users and groups must be
maintained on the NIS server. The pw utility handles updating the
passwd, master.passwd, group and the secure and insecure password data-
base files, and must be run as root.

The first one or two keywords provided to pw on the command line provide
the context for the remainder of the arguments. The keywords user and
group may be combined with add, del, mod, show, or next in any order.
(For example, showuser, usershow, show user, and user show all mean the
same thing.) This flexibility is useful for interactive scripts calling
pw for user and group database manipulation. Following these keywords,
you may optionally specify the user or group name or numeric id as an
alternative to using the -n name, -u uid, -g gid options.
..................
GROUP OPTIONS
The -C and -q options (explained at the start of the previous section)
are available with the group manipulation commands. Other common options
to all group-related commands are:

-n name Specify the group name.

-g gid Specify the group numeric id.

As with the account name and id fields, you will usually
only need to supply one of these, as the group name
implies the uid and vice versa. You will only need to use
both when setting a specific group id against a new group
or when changing the uid of an existing group.

-M memberlist This option provides an alternative way to add existing
users to a new group (in groupadd) or replace an existing
membership list (in groupmod). memberlist is a comma sep-
arated list of valid and existing user names or uids.

-m newmembers Similar to -M, this option allows the addition of existing
users to a group without replacing the existing list of
members. Login names or user ids may be used, and dupli-
cate users are silently eliminated.

groupadd also has a -o option that allows allocation of an existing group
id to a new group. The default action is to reject an attempt to add a
group, and this option overrides the check for duplicate group ids.
There is rarely any need to duplicate a group id.

The groupmod command adds one additional option:

-l name This option allows changing of an existing group name to
`name'. The new name must not already exist, and any
attempt to duplicate an existing group name will be
rejected.

Options for groupshow are the same as for usershow, with the -g gid
replacing -u uid to specify the group id. The -7 option does not apply
to the groupshow command.

The command groupnext returns the next available group id on standard
output.

If you want to allow access to su to user yourname use: pw modgroup wheel -M yourname or pw modgroup wheel -m yourname , depending on what you need.

Bookmarks: Echo "How to allow access to su to root on FreeBSD" around:
del.icio.usdiggFurlYahooMyWebGoogleBookmarksFaceBookTechnocratti
-------------------advertising-----------------

Other articles in Server Operating Systems / Administration Guides
» Unix - How to find the largest 10 files in a filesystem
» How to change Environment Variable $MAIL on FreeBSD box
» FreeBSD Skeleton Directory - FreeBSD SKEL files
» How to rename files/directories to uppercase/lowercase character names
» ProFTPd + MySQL - 530 Login incorrect




Contact webmaster regarding this article
Register or Login to post your article
Hello, Guest ! You can Login or Register to www.ivorde.ro!

 Post comment:

Name:
Title:
Comment:
Please type the word you see in the image (anti-spam verification). Refresh the page if you don't understand the word.
Allowed HTML Tags for comments:<p><strong><em><u><h1><h2><h3><h4><h5><h6><img><li>
<ol><ul><span><div><br><ins><del>

1 comment(s) to How to allow access to su to root on FreeBSD:

1. Re: How to allow access to su to root on FreeBSD
Fail... by Roy at March 16th, 2011 - 21:12
If you don't read all they way down and just use the first example with the -M you REPLACE the members of the group... what you want is -m which ADDS to the members of the group without replacing.

   Latest topics on the forum:
 
   Most viewed articles:
How to copy a mysql database using mysqldump - 10087 views
How to change a user's password in AIX with the output from ECHO command - 9286 views
FreeBSD: Add/remove an additional IP alias - 6453 views
Qmail relay to smarthost: How to route all mail to a smarthost - 4364 views
Change user shell on FreeBSD Linux and AIX - 3118 views

   Latest 10 articles:
Qmail relay to smarthost: How to route all mail to a smarthost - 03 Feb 2009
EXIM 4 relay to smarthost: How to route all mail except local domain - 03 Feb 2009
Windows XP: print LISTEN ports and network connections using netstat - 30 Jan 2009
How to cut out first last n characters from each file name, from a filelist - 04 Nov 2008
Mozilla Firefox3 is now released - 18 Jun 2008
How to switch lower case to upper case and upper case to lower case in a string - 17 Jun 2008
How to rename files/directories to uppercase/lowercase character names - 17 Jun 2008
How to convert lower case to upper case letters in a shell script/command - 17 Jun 2008
Unix,Linux,FreeBSD - How to rename a list of files, replacing spaces inside their names - 12 Jun 2008
How to change a user's password in AIX with the output from ECHO command - 21 May 2008


Archives
» 2007  |  June  |  October  |  November  |  December
» 2008  |  January  |  February  |  March  |  April  |  May  |  June  |  November
» 2009  |  January  |  February



Home | Archives | Sitemap | About | Contact

Designed and developed by Andrei Manescu. Optimized for Mozilla Firefox.  
Copyright 2007 Andrei Manescu
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by those who posted them.
Valid W3 Document Valid XHTML 1.0 Transitional Valid CSS! The FreeBSD Project Viewable With Any Browser