Typically, the average user enters the correct rootpassword by running the "Su-" command. Ability to log on as the root user for administrator-level configuration of the system.
But. In order to further enhance the security of the system, it is necessary to establish a group of administrators, simply agree to this group of users to run the "Su-" command to log on as the root user. Users of other groups cannot log on as the root user even if they run "Su-" and enter the correct rootpassword. Under UNIX and Linux. The name of this group is usually "wheel".
First, prohibit non-Whell group users to switch to root
1, change/ETC/PAM.D/SU configuration
[[email protected] ~]# vi/etc/pam.d/su← Open this configuration file #auth required/lib/security/$ISA/pam_wheel.so use_uid ← Find this line, Remove the "#" from the beginning of the line
2. Change/etc/login.defs file
[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add a statement to the end of the line after the completion of the operation, you can establish a new user. Then using this new user test will find that not joined to the wheel group of users, run the "Su-" command. Cannot log in as root user even if the correct Rootpassword is entered
3, join a user woo, test can be enough to switch to root
[Email protected] ~]# useradd woo[[email protected] ~]# passwd woochanging password for user Woo. New Unix Password:bad password:it is the too Shortretype new UNIX Password:passwd:all authentication tokens updated Su Ccessfull
4. Switch to root by Woo user login attempt
[Email protected] ~]$ Su-root
5: Add root user to wheel group and try to switch, can switch
[[email protected] ~]# usermod-g Wheel Woo ← Add a regular user woo in the Administrators group wheel Group [[email protected] ~]# Su-woo[[email protected] ~ ]$ su-root ← This time we see is able to switch the Password: [[email protected] ~]#
Second, join the user to the administrator, prohibit ordinary users su to root
6, join the user, and join the Administrators group. Prohibit normal user su to root. Install OPENSSH/OPENSSL to improve remote management security after mating
[Email protected] ~]# useradd admin[[email protected] ~]# passwd adminchanging password for user admin. New Unix Password:bad Password:it is too shortretype new UNIX Password:passwd:all authentication tokens updated succes Sfully. [Email protected] ~]# usermod-g wheel Admin
Method One: The wheel group can also be specified as a different group. Edit/ETC/PAM.D/SU Join For example the following two lines
Method Two: Edit/etc/pam.d/su will be removed for example the following line # symbol
[Email protected] ~]# vi/etc/pam.d/su#redhat#auth required/lib/security/$ISA/pam_wheel.so use_uid← find this line. Remove the "#" at the beginning of the line #CentOS5 #auth required pam_wheel.so use_uid← Find this trip, remove the "#" from the beginning
#保存退出就可以 ============
[[email protected] ~]# echo "su_wheel_only yes" >>/etc/login.defs← add statement to end of line
(actual test this step can be omitted)
Linux prohibits non-wheel users from using the SU command