Restrict the use of su command

su is used to become another user during a login session. Invoked without a username, su defaults to becoming the super user. The user will be prompted for a password, if appropriate. Invalid passwords will produce an error message. All attempts, both valid and invalid, are logged to detect abuses of the system.

By default almost all distro allows to use su command. However you can restrict the use of su command for security reasons.

Both UNIX and Linux have a group called wheel. If user is member of this group she can use su command. We can add user to this group.

For example add existing user rocky to wheel group
# usermod -G wheel rocky

Now open /etc/pam.d/su PAM config file:
# vi /etc/pam.d/su
Append line as follows:
auth required /lib/security/pam_wheel.so use_uid
OR
auth required pam_wheel.so use_uid

Save and close the file.

Because of above setting only members of the administrative group wheel can use the su command. However I still recommend sudo over su for better control, security and ease of use. This is also default behavior on FreeBSD.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • Laura S. Feb 14, 2016 @ 0:56

    How can I set up a regular user with both regular/and elevated privileges, then when user logs on to the system, he/she only has regular privileges, but when he/she su to his/her own account (NOT root, but account with elevated privileges), this person can do everything root can do? is this technically feasible?

  • alpha Jul 31, 2013 @ 3:45

    You will be able to issue “su -” and get a login shell if you only edit /etc/pam.d/su, you need to edit /etc/pam.d/su-l as well.

  • Ankit Aug 29, 2011 @ 11:34

    Great tip, now i have blocked the root ssh login and also allowed particular user to use su. 🙂

    Thanks a lot for this tip.

    Regards
    Ankit.

  • jalal hajigholamali Aug 17, 2011 @ 15:36

    thanks a lot.
    any history about wheel, why they choose wheel ?

  • ardmad Jul 9, 2009 @ 18:07

    Hi. Can you tell me how or in what interface should i type:

    $ su root

    I don’t quite understand where to type that. Thanks.

  • Vasudeva Apr 18, 2008 @ 20:31

    Can we restrict multiple users using su command at a time ? Like user1 already using su – and working on some commands. Can we disallow using user2 at the same time ? Please let me know how can we configure this ?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.