Linux prohibits non-WHEEL users from using the SU command
Generally, you can log on as the root user to configure the system as Administrator by executing the "su-" command and entering the correct root password.
However, in order to further enhance the security of the system, it is necessary to establish an Administrator group that only allows users in this group to execute the "su-" command to log on as the root user, users in other groups cannot Log On As root even if they execute "su-" and enter the correct root password. In UNIX and Linux, the group name is usually "wheel ".
1. Prohibit Non-whell group users from switching to the root user
1. Modify the/etc/pam. d/su configuration.
[Root @ db01 ~] # Vi/etc/pam. d/su fill open this configuration file # auth required/lib/security/$ ISA/pam_wheel.so use_uid fill find this line and remove "#" from the beginning of the line
2. Modify the/etc/login. defs File
[Root @ db01 ~] # Echo "SU_WHEEL_ONLY yes">/etc/login. after adding a statement to the end of a row in defs partition, you can create a new user. Then, you can test the new user and find that the user is not added to the wheel group, run the "su-" command. Even if you enter the correct root password, you cannot log on as the root user.
3. Add a user woo and test whether the user can switch to the root user.
[root@db01 ~]# useradd woo[root@db01 ~]# passwd wooChanging password for user woo.New UNIX password: BAD PASSWORD: it is WAY too shortRetype new UNIX password: passwd: all authentication tokens updated successfull
4. Try to switch to root through woo User Login
[Woo @ db01 ~] $ Su-root login cannot switch Password: su: incorrect password [woo @ db01 ~] Even if the Password is entered correctly $
5: add the root user to the wheel group and try to switch.
[Root @ db01 ~] # Usermod-G wheel woo plugin add normal user woo to the Administrator Group's wheel group [root @ db01 ~] # Su-woo [woo @ db01 ~] $ Su-root token. At this time, we can see that the Password can be switched: [root @ db01 ~]. #
2. Add a user to the Administrator and prohibit normal users from su to root.
6. Add users and add them to the Administrator group. Disable common users from su to root to install OpenSSH/OpenSSL to enhance Remote Management Security.
[Root @ db01 ~] # Useradd admin [root @ db01 ~] # Passwd adminChanging password for user admin. New UNIX password: bad password: it is too shortRetype new UNIX password: passwd: all authentication tokens updated successfully. [root @ db01 ~] # Usermod-G wheel admin (usermod-G wheel admin or usermod-G10 admin (10 is the ID of the wheel group) [root @ db01 ~] # Su-admin [admin @ db01 ~] $ Su-rootPassword: [root @ db01 ~] #
Method 1: The wheel group can also be specified as another group. edit/etc/pam. d/su and add the following two lines:
[root@db01 ~]# vi /etc/pam.d/suauth sufficient /lib/security/pam_rootok.so debugauth required /lib/security/pam_wheel.so group=wheel
Method 2: edit/etc/pam. d/su and remove the following line # symbol
[Root @ db01 ~] # Vi/etc/pam. d/su # RedHat # auth required/lib/security/$ ISA/pam_wheel.so use_uid locate this line and remove "#" # CentOS5 # auth required pam_wheel.so use_uid found this line, remove "#" at the beginning of the line
# Save and exit ==============
[Root @ db01 ~] # Echo "SU_WHEEL_ONLY yes">/etc/login. defs statement: add the statement to the end of the row.
(The actual test can be omitted)