Typically, a typical user can log on as the root user to configure the system at the administrator level by executing the "Su-" command and entering the correct root password.
However, in order to further enhance the security of the system, it is necessary to establish a group of administrators, only allow users of this group to execute the "Su-" command to log on as the root user, and let other groups of users even if the "Su-", entered the correct root password, can not log into the root user. Under UNIX and Linux, the name of this group is usually "wheel".
First, prohibit non-Whell group users to switch to root
1. Modify/ETC/PAM.D/SU Configuration
[Plain]View Plaincopyprint?
- [[email protected] ~]# vi/etc/pam.d/su← Open this configuration file
- #auth required/lib/security/$ISA/pam_wheel.so use_uid← Find this line and remove the "#" from the beginning.
2. Modify the/etc/login.defs file
[Plain]View Plaincopyprint?
- [[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to the end of the line after the completion of the operation, you can create a new user, and then use this new user test will find that No users joined to the wheel group, execute "Su-" command, even if the correct root password is entered, can not log on as the root user
3, add a user woo, test whether you can switch to root
[Plain]View Plaincopyprint?
- [Email protected] ~]# Useradd Woo
- [Email protected] ~]# passwd Woo
- Changing password for user Woo.
- New UNIX Password:
- Bad Password:it is the too short
- Retype new UNIX Password:
- Passwd:all Authentication Tokens Updated successfull
4. Switch to root by Woo user login attempt
[Plain]View Plaincopyprint?
- [[email protected] ~]$ su-root← cannot switch even if the password is entered correctly
- Password:
- Su:incorrect Password
- [Email protected] ~]$
5: The root user to join the wheel group and then try to switch, you can switch
[Plain]View Plaincopyprint?
- [[email protected] ~]# usermod-g wheel woo← Add a regular user woo in the Administrators group wheel Group
- [Email protected] ~]# Su-woo
- [[email protected] ~]$ su-root← This time we see that we can switch.
- Password:
- [Email protected] ~]#
Second, add users to the administrator, prohibit ordinary users su to root
6, add users, and join the Administrators group, prohibit ordinary users su to root, to cooperate with the installation of OPENSSH/OPENSSL to enhance remote management security
[Plain]View Plaincopyprint?
- [[email protected] ~]# Useradd admin
- [[email protected] ~]# passwd admin
- Changing password for user admin.
- New UNIX Password:
- Bad password:it are too short
- Retype new UNIX Password:
- Passwd:all authentication tokens updated successfully.
- [[email protected] ~]# usermod-g wheel admin (usermod-g wheel admin or usermod-g10 Admin (10 is the ID number of the wheel group))
- [Email protected] ~]# su-admin
- [Email protected] ~]$ Su-root
- Password:
- [Email protected] ~]#
Method One: Wheel group can also be specified as other groups, edit/etc/pam.d/su Add the following two lines
[Plain]View Plaincopyprint?
- [Email protected] ~]# VI/ETC/PAM.D/SU
- Auth sufficient/lib/security/pam_rootok.so Debug
- Auth required/lib/security/pam_wheel.so Group=wheel
Method Two: Edit/etc/pam.d/su to remove the following line # symbol
[Plain]View Plaincopyprint?
- [Email protected] ~]# VI/ETC/PAM.D/SU
- #RedHat #auth required/lib/security/$ISA/pam_wheel.so use_uid← Find this line, remove the "#" from the beginning
- #CentOS5 #auth Required pam_wheel.so use_uid← Find this trip, remove the "#" from the beginning of the line
#保存退出即可 ============
[Plain]View Plaincopyprint?
- [[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to end of line
Linux prohibits non-wheel users from using the SU Command (reprinted)