Su from an unprivileged account

Daniel J Walsh dwalsh at redhat.com
Thu Apr 15 19:45:33 UTC 2004


Gene Czarcinski wrote:

>On Thursday 15 April 2004 14:09, Daniel J Walsh wrote:
>  
>
>>Nic¤ wrote:
>>    
>>
>>>Hi all.
>>>
>>>Is there a way to easily configure the policy to allow
>>>an unprivileged user to execute the su command.
>>>
>>>By default, this is not allowed !
>>>      
>>>
>>By default it is allowed, there is a tunable to turn this off, but a
>>normal user should be able to su.
>>    
>>
>
>Mmmm .. I wonder if it can be fine tuned enough so that a user could su to 
>another regular user but not root or any user with sysadm_r capability?  At 
>the same time, a user with a sysadm_r capability could su to anyone.
>
>That might be an interesting capability to have.
>  
>

That is what staff_r is defined as.  If you turn off user_canbe_sysadm, 
you will end up with regular users who can't su and
staff users who can.

>Gene
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>



More information about the fedora-selinux-list mailing list