Disable su on machine

susudo

Is there a way to allow su only for specified users (like using visudo for sudo).

The reason for this is I'd like to keep a simple (weak) password for my root account and have accounts that can su/sudo only be able to login to the machine using a pub/private key.

Then, all other accounts would not be able to su as root or as an account that can su.

Best Answer

Yep, the 'wheel' group trick is also available on linux: you just need to configure pam for it and then, only wheel members can run su.

On Debian, you have to uncomment the wheel line of /etc/pam.d/su

This is definitely the first thing to do on any server, or else, any webserver/ hacked can lead to a root hack.

Related Solutions

Linux Security – Allow One User to su to Another Without Root Access

Yes, this is possible.

In /etc/sudoers the item immediately following the equals is the user that the command will be allowed to execute as.

tom  ALL=(oracle) /bin/chown tom *

The user (tom) can type sudo -u oracle /bin/chown tom /home/oracle/oraclefile

Configure sudo to ask for root password

I think you're trying to make sudo work in a way that it is not ment to - you don't want to add the 'simple' user to the sudoers file (please correct me if i'm wrong).

In that case sudo isn't the tool you want to use you want to issue su -c <command> this will prompt for the root password, execute the command, then exit.

Best Answer

Related Solutions

Linux Security – Allow One User to su to Another Without Root Access

Configure sudo to ask for root password

Related Topic