Restrict the use of su command

su is used to become another user during a login session. Invoked without a username, su defaults to becoming the super user. The user will be prompted for a password, if appropriate. Invalid passwords will produce an error message. All attempts, both valid and invalid, are logged to detect abuses of the system.

By default almost all distro allows to use su command. However you can restrict the use of su command for security reasons.

Both UNIX and Linux have a group called wheel. If user is member of this group she can use su command. We can add user to this group.

For example add existing user rocky to wheel group
# usermod -G wheel rocky

Now open /etc/pam.d/su PAM config file:
# vi /etc/pam.d/su
Append line as follows:
auth required /lib/security/pam_wheel.so use_uid
OR
auth required pam_wheel.so use_uid

Save and close the file.

Because of above setting only members of the administrative group wheel can use the su command. However I still recommend sudo over su for better control, security and ease of use. This is also default behavior on FreeBSD.

• Tweet
• 
• 

You should follow me on twitter here or grab rss feed to keep track of new changes.

Featured Articles:

• 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
• Top 30 Nmap Command Examples For Sys/Network Admins
• 25 PHP Security Best Practices For Sys Admins
• 20 Linux System Monitoring Tools Every SysAdmin Should Know
• 20 Linux Server Hardening Security Tips
• Linux: 20 Iptables Examples For New SysAdmins
• Top 20 OpenSSH Server Best Security Practices
• Top 20 Nginx WebServer Best Security Practices
• 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
• 15 Greatest Open Source Terminal Applications Of 2012
• My 10 UNIX Command Line Mistakes
• Top 10 Open Source Web-Based Project Management Software
• Top 5 Email Client For Linux, Mac OS X, and Windows Users
• The Novice Guide To Buying A Linux Laptop