Linux prohibits non-wheel users from using the SU Command (reprinted)

Source: Internet
Author: User

Typically, a typical user can log on as the root user to configure the system at the administrator level by executing the "Su-" command and entering the correct root password.

However, in order to further enhance the security of the system, it is necessary to establish a group of administrators, only allow users of this group to execute the "Su-" command to log on as the root user, and let other groups of users even if the "Su-", entered the correct root password, can not log into the root user. Under UNIX and Linux, the name of this group is usually "wheel".

First, prohibit non-Whell group users to switch to root
1. Modify/ETC/PAM.D/SU Configuration

[Plain]View Plaincopyprint?
    1. [[email protected] ~]# vi/etc/pam.d/su← Open this configuration file
    2. #auth required/lib/security/$ISA/pam_wheel.so use_uid← Find this line and remove the "#" from the beginning.


2. Modify the/etc/login.defs file

[Plain]View Plaincopyprint?
    1. [[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to the end of the line after the completion of the operation, you can create a new user, and then use this new user test will find that No users joined to the wheel group, execute "Su-" command, even if the correct root password is entered, can not log on as the root user


3, add a user woo, test whether you can switch to root

[Plain]View Plaincopyprint?
    1. [Email protected] ~]# Useradd Woo
    2. [Email protected] ~]# passwd Woo
    3. Changing password for user Woo.
    4. New UNIX Password:
    5. Bad Password:it is the too short
    6. Retype new UNIX Password:
    7. Passwd:all Authentication Tokens Updated successfull

4. Switch to root by Woo user login attempt

[Plain]View Plaincopyprint?
    1. [[email protected] ~]$ su-root← cannot switch even if the password is entered correctly
    2. Password:
    3. Su:incorrect Password
    4. [Email protected] ~]$

5: The root user to join the wheel group and then try to switch, you can switch

[Plain]View Plaincopyprint?
    1. [[email protected] ~]# usermod-g wheel woo← Add a regular user woo in the Administrators group wheel Group
    2. [Email protected] ~]# Su-woo
    3. [[email protected] ~]$ su-root← This time we see that we can switch.
    4. Password:
    5. [Email protected] ~]#

Second, add users to the administrator, prohibit ordinary users su to root
6, add users, and join the Administrators group, prohibit ordinary users su to root, to cooperate with the installation of OPENSSH/OPENSSL to enhance remote management security

[Plain]View Plaincopyprint?
  1. [[email protected] ~]# Useradd admin
  2. [[email protected] ~]# passwd admin
  3. Changing password for user admin.
  4. New UNIX Password:
  5. Bad password:it are too short
  6. Retype new UNIX Password:
  7. Passwd:all authentication tokens updated successfully.
  8. [[email protected] ~]# usermod-g wheel admin (usermod-g wheel admin or usermod-g10 Admin (10 is the ID number of the wheel group))
  9. [Email protected] ~]# su-admin
  10. [Email protected] ~]$ Su-root
  11. Password:
  12. [Email protected] ~]#

Method One: Wheel group can also be specified as other groups, edit/etc/pam.d/su Add the following two lines

[Plain]View Plaincopyprint?
    1. [Email protected] ~]# VI/ETC/PAM.D/SU
    2. Auth sufficient/lib/security/pam_rootok.so Debug
    3. Auth required/lib/security/pam_wheel.so Group=wheel

Method Two: Edit/etc/pam.d/su to remove the following line # symbol

[Plain]View Plaincopyprint?
    1. [Email protected] ~]# VI/ETC/PAM.D/SU
    2. #RedHat #auth required/lib/security/$ISA/pam_wheel.so use_uid← Find this line, remove the "#" from the beginning
    3. #CentOS5 #auth Required pam_wheel.so use_uid← Find this trip, remove the "#" from the beginning of the line

#保存退出即可 ============

[Plain]View Plaincopyprint?
      1. [[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to end of line

Linux prohibits non-wheel users from using the SU Command (reprinted)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.