Linux prohibits non-wheel users from using the SU command

Typically, the average user enters the correct rootpassword by running the "Su-" command. Ability to log on as the root user for administrator-level configuration of the system.

But. In order to further enhance the security of the system, it is necessary to establish a group of administrators, simply agree to this group of users to run the "Su-" command to log on as the root user. Users of other groups cannot log on as the root user even if they run "Su-" and enter the correct rootpassword. Under UNIX and Linux. The name of this group is usually "wheel".

First, prohibit non-Whell group users to switch to root
1, change/ETC/PAM.D/SU configuration

[[email protected] ~]# vi/etc/pam.d/su← Open this configuration file #auth required/lib/security/$ISA/pam_wheel.so use_uid      ← Find this line, Remove the "#" from the beginning of the line

2. Change/etc/login.defs file

[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add a statement to the end of the line after the completion of the operation, you can establish a new user. Then using this new user test will find that not joined to the wheel group of users, run the "Su-" command. Cannot log in as root user even if the correct Rootpassword is entered

3, join a user woo, test can be enough to switch to root

[Email protected] ~]# useradd woo[[email protected] ~]# passwd woochanging password for user Woo. New Unix Password:bad password:it is the too Shortretype new UNIX Password:passwd:all authentication tokens updated Su Ccessfull

4. Switch to root by Woo user login attempt

[Email protected] ~]$ Su-root           

5: Add root user to wheel group and try to switch, can switch

[[email protected] ~]# usermod-g Wheel Woo    ← Add a regular user woo in the Administrators group wheel Group [[email protected] ~]# Su-woo[[email protected] ~ ]$ su-root           ←  This time we see is able to switch the   Password: [[email protected] ~]#     

Second, join the user to the administrator, prohibit ordinary users su to root
6, join the user, and join the Administrators group. Prohibit normal user su to root. Install OPENSSH/OPENSSL to improve remote management security after mating

[Email protected] ~]# useradd admin[[email protected] ~]# passwd adminchanging password for user admin. New Unix Password:bad Password:it is too shortretype new UNIX Password:passwd:all authentication tokens updated succes Sfully. [Email protected] ~]# usermod-g wheel Admin   

Method One: The wheel group can also be specified as a different group. Edit/ETC/PAM.D/SU Join For example the following two lines

Method Two: Edit/etc/pam.d/su will be removed for example the following line # symbol

[Email protected] ~]# vi/etc/pam.d/su#redhat#auth required/lib/security/$ISA/pam_wheel.so use_uid← find this line. Remove the "#" at the beginning of the line #CentOS5 #auth required pam_wheel.so use_uid← Find this trip, remove the "#" from the beginning

#保存退出就可以 ============

[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to end of line

(actual test this step can be omitted)

Linux prohibits non-wheel users from using the SU command