Replace the System su Utility with the CA Privileged Access Manager Server Control sesu Utility
By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.
cminder140
By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.
To replace the system's su utility with the
Privileged Access Manager Server Control
sesu utility You need to be root or another authorized user to perform the following steps.
- Permit users to run the sesu utility using the following command:chmod +s /opt/CA/AccessControl/bin/sesu
- Find out the location of the system's su utility using the following command:which su
- Rename the system's su utility using the following command:mv su_dir/su su_dir/su.ORIGwheresu_diris the directory where su resides.
- Link the sesu utility to the su command:ln -s /opt/CA/AccessControl/bin/sesu su_dir/suThis lets users continue to use the su command, although it now runs the sesu utility.
- StopPrivileged Access Manager Server Controlusing the following command:secons -s
- ModifyPrivileged Access Manager Server Controlconfiguration settings using the following commands:seini -s sesu.SystemSu su_dir/su.ORIG seini -s sesu.UseInvokerPassword yesThe token SystemSu is set so that sesu can call the original system su utility ifPrivileged Access Manager Server Controlis not running.The token UseInvokerPassword is set to tellPrivileged Access Manager Server Controlto prompt the user for their original password instead of root's password or another user's password. The user needs to re-authenticate before the user substitution is permitted.
- ReloadPrivileged Access Manager Server Controlusing the following command:seload