Linux prohibits non-wheel users from using the SU command

Source: Internet
Author: User

Typically, the average user enters the correct rootpassword by running the "Su-" command. Ability to log on as the root user for administrator-level configuration of the system.

But. In order to further enhance the security of the system, it is necessary to establish a group of administrators, simply agree to this group of users to run the "Su-" command to log on as the root user. Users of other groups cannot log on as the root user even if they run "Su-" and enter the correct rootpassword. Under UNIX and Linux. The name of this group is usually "wheel".

First, prohibit non-Whell group users to switch to root
1, change/ETC/PAM.D/SU configuration

[[email protected] ~]# vi/etc/pam.d/su← Open this configuration file #auth required/lib/security/$ISA/pam_wheel.so use_uid      ← Find this line, Remove the "#" from the beginning of the line


2. Change/etc/login.defs file

[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add a statement to the end of the line after the completion of the operation, you can establish a new user. Then using this new user test will find that not joined to the wheel group of users, run the "Su-" command. Cannot log in as root user even if the correct Rootpassword is entered


3, join a user woo, test can be enough to switch to root

[Email protected] ~]# useradd woo[[email protected] ~]# passwd woochanging password for user Woo. New Unix Password:bad password:it is the too Shortretype new UNIX Password:passwd:all authentication tokens updated Su Ccessfull

4. Switch to root by Woo user login attempt

[Email protected] ~]$ Su-root           

5: Add root user to wheel group and try to switch, can switch

[[email protected] ~]# usermod-g Wheel Woo    ← Add a regular user woo in the Administrators group wheel Group [[email protected] ~]# Su-woo[[email protected] ~ ]$ su-root           ←  This time we see is able to switch the   Password: [[email protected] ~]#     

Second, join the user to the administrator, prohibit ordinary users su to root
6, join the user, and join the Administrators group. Prohibit normal user su to root. Install OPENSSH/OPENSSL to improve remote management security after mating

[Email protected] ~]# useradd admin[[email protected] ~]# passwd adminchanging password for user admin. New Unix Password:bad Password:it is too shortretype new UNIX Password:passwd:all authentication tokens updated succes Sfully. [Email protected] ~]# usermod-g wheel Admin   

Method One: The wheel group can also be specified as a different group. Edit/ETC/PAM.D/SU Join For example the following two lines

Method Two: Edit/etc/pam.d/su will be removed for example the following line # symbol

[Email protected] ~]# vi/etc/pam.d/su#redhat#auth required/lib/security/$ISA/pam_wheel.so use_uid← find this line. Remove the "#" at the beginning of the line #CentOS5 #auth required pam_wheel.so use_uid← Find this trip, remove the "#" from the beginning

#保存退出就可以 ============

[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to end of line


(actual test this step can be omitted)

Linux prohibits non-wheel users from using the SU command

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.