The su Command
Upon typing the su command, the user is prompted for the root password and, after authentication, given a root shell prompt.
Once logged in via the su command, the user is the root user and has absolute administrative access to the system. In addition, once a user has attained root, it is possible in some cases for them to use the su command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:
In the previous command, replace with the username being added to the wheel group.
Next open the PAM configuration file for su, /etc/pam.d/su, in a text editor and remove the comment [#] from the following line:
auth required /lib/security/pam_wheel.so use_uid
Doing this will permit only members of the administrative group wheel to use the program.
The root user is part of the wheel group by default.
How do I restrict the use of su command?
The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser. The optional argument - may be used to provide an environment similar to what the user would expect had the user logged in directly.
You can SSH using a regular user account, then use the su command to obtain root access. This is true for any user that enters the su command and enters the root password. Root access means absolute access, thus, it is recommended that you limit the usernames that can use the su command and get root access.
We have a group called ‘wheel’ on the Linux system that we can utilize for this a special purpose. We can add usernames that you want to have su access to become a member of the wheel group and then restrict su so that only the members of the wheel group can use the su command.
Add a user with the id buddy to the wheel group:
Now we need to go to the directory /etc/pam.d
/etc/pam.d$ ls -l su
-rw-r–r– 1 root root 2303 May 26 19:53 su
Edit the PAM configuration file for su, /etc/pam.d/su, in a text editor and remove the comment (#) from the line shown below:
# auth required /lib/security/pam_wheel.so use_uid
So that is looks like this:
auth required /lib/security/pam_wheel.so use_uid
Doing this will permit only members of the group wheel to use the su command.
Below is the debian configuration file:
# The PAM configuration file for the Shadow `su’ service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su’. You can also add “group=foo”
# to the end of this line if you want to use a group other
# than the default “root” (but this may have side effect of
# denying “root” user, unless she’s a member of “foo” or explicitly
# permitted earlier by e.g. “sufficient pam_rootok.so”).
# (Replaces the `SU_WHEEL_ONLY’ option from login.defs)
auth required pam_wheel.so