Linux prohibits non-wheel users from using the SU command

Typically, a typical user can log on as the root user to configure the system at the administrator level by executing the "Su-" command and entering the correct root password.

However, in order to further enhance the security of the system, it is necessary to establish a group of administrators, only allow users of this group to execute the "Su-" command to log on as the root user, and let other groups of users even if the "Su-", entered the correct root password, can not log into the root user. Under UNIX and Linux, the name of this group is usually "wheel".

First, prohibit non-Whell group users to switch to root
1. Modify/ETC/PAM.D/SU Configuration

[[email protected] ~]# vi/etc/pam.d/su← Open this configuration file #auth required/lib/security/$ISA/pam_wheel.so use_uid      ← Find this line, Remove the "#" from the beginning of the line

2. Modify the/etc/login.defs file

[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to the end of the line after the completion of the operation, you can create a new user, and then use this new user test will find that No users joined to the wheel group, execute "Su-" command, even if the correct root password is entered, can not log on as the root user

3, add a user woo, test whether you can switch to root

[Email protected] ~]# useradd woo[[email protected] ~]# passwd woochanging password for user Woo. New Unix Password:bad password:it is the too Shortretype new UNIX Password:passwd:all authentication tokens updated Su Ccessfull

4. Switch to root by Woo user login attempt

[Email protected] ~]$ Su-root           

5: The root user to join the wheel group and then try to switch, you can switch

[[email protected] ~]# usermod-g Wheel Woo    ← Add a regular user woo in the Administrators group wheel Group [[email protected] ~]# Su-woo[[email protected] ~ ]$ su-root           ← This  time we see is can switch the   Password: [[email protected] ~]#     

Second, add users to the administrator, prohibit ordinary users su to root
6, add users, and join the Administrators group, prohibit ordinary users su to root, to cooperate with the installation of OPENSSH/OPENSSL to enhance remote management security

[Email protected] ~]# useradd admin[[email protected] ~]# passwd adminchanging password for user admin. New Unix Password:bad Password:it is too shortretype new UNIX Password:passwd:all authentication tokens updated succes Sfully. [Email protected] ~]# usermod-g wheel Admin   

Method One: Wheel group can also be specified as other groups, edit/etc/pam.d/su Add the following two lines

Method Two: Edit/etc/pam.d/su to remove the following line # symbol

[Email protected] ~]# vi/etc/pam.d/su#redhat#auth required/lib/security/$ISA/pam_wheel.so use_uid← Find this line, remove the "#" from the beginning #Ce Ntos5#auth Required pam_wheel.so use_uid← Find this trip, remove the "#" from the beginning of the line

#保存退出即可 ============

[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to end of line

(actual test this step can be omitted)

Linux prohibits non-wheel users from using the SU command