Replace the System su Utility with the CA Privileged Access Manager Server Control sesu Utility

By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.
cminder140
By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.
To replace the system's su utility with the
Privileged Access Manager Server Control
sesu utility
You need to be root or another authorized user to perform the following steps.
  1. Permit users to run the sesu utility using the following command:
    chmod +s /opt/CA/AccessControl/bin/sesu
  2. Find out the location of the system's su utility using the following command:
    which su
  3. Rename the system's su utility using the following command:
    mv su_dir/su su_dir/su.ORIG
    where
    su_dir
    is the directory where su resides.
  4. Link the sesu utility to the su command:
    ln -s /opt/CA/AccessControl/bin/sesu su_dir/su
    This lets users continue to use the su command, although it now runs the sesu utility.
  5. Stop
    Privileged Access Manager Server Control
    using the following command:
    secons -s
  6. Modify
    Privileged Access Manager Server Control
    configuration settings using the following commands:
    seini -s sesu.SystemSu su_dir/su.ORIG seini -s sesu.UseInvokerPassword yes
    The token SystemSu is set so that sesu can call the original system su utility if
    Privileged Access Manager Server Control
    is not running.
    The token UseInvokerPassword is set to tell
    Privileged Access Manager Server Control
    to prompt the user for their original password instead of root's password or another user's password. The user needs to re-authenticate before the user substitution is permitted.
  7. Reload
    Privileged Access Manager Server Control
    using the following command:
    seload