Replace the System's su Utility with the Privileged Identity Manager sesu Utility
By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.
cminder12801
By default, the sesu utility is marked in the file system so that no one can run it. To let users substitute other users by using the sesu utility, you must enable sesu and replace the system su with this utility.
To replace the system's su utility with the Privileged Identity Manager sesu utility
You need to be root or another authorized user to perform the following steps.
- Permit users to run the sesu utility using the following command:chmod +s /opt/CA/AccessControl/bin/sesu
- Find out the location of the system's su utility using the following command:which su
- Rename the system's su utility using the following command:
wheremv su_dir/su su_dir/su.ORIGsu_diris the directory where su resides. - Link the sesu utility to the su command:
This lets users continue to use the su command, although it now runs the sesu utility.ln -s /opt/CA/AccessControl/bin/sesu su_dir/su - Stop Privileged Identity Manager using the following command:secons -s
- Modify Privileged Identity Manager configuration settings using the following commands:
The token SystemSu is set so that sesu can call the original system su utility if Privileged Identity Manager is not running.seini -s sesu.SystemSu su_dir/su.ORIG seini -s sesu.UseInvokerPassword yesThe token UseInvokerPassword is set to tell Privileged Identity Manager to prompt the user for their original password instead of root's password or another user's password. The user needs to re-authenticate before the user substitution is permitted. - Reload Privileged Identity Manager using the following command:seload