Linux prohibits non-WHEEL users from using the su command
Generally, you can log on as the root user to configure the system as Administrator by executing the "su-" command and entering the correct root password.
However, in order to further enhance the security of the system, it is necessary to establish an Administrator group that only allows users in this group to execute the "su-" command to log on as the root user, users in other groups cannot Log On As root even if they execute "su-" and enter the correct root password. In UNIX and Linux, the group name is usually "wheel ".
There is also an article about Linux prohibiting non-WHEEL users from using the su command.
1. Prohibit Non-whell group users from switching to the root user
1. Modify the/etc/pam. d/su configuration.
Root@www.bkjia.com ~ # Vi/etc/pam. d/su Hei open this configuration file
# Auth required/lib/security/$ ISA/pam_wheel.so use_uid locate this line and remove "#"
2. Modify the/etc/login. defs File
Root@www.bkjia.com ~ # Echo "SU_WHEEL_ONLY yes">/etc/login. after adding a statement to the end of a row in defs partition, you can create a new user. Then, you can test the new user and find that the user is not added to the wheel group, run the "su-" command. Even if you enter the correct root password, you cannot log on as the root user.
3. Add a user woo and test whether the user can switch to the root user.
Root@www.bkjia.com ~ # Useradd woo
Root@www.bkjia.com ~ # Passwd woo
Changing password for user woo.
New UNIX password:
Bad password: it is WAY too short
Retype new UNIX password:
Passwd: all authentication tokens updated successfull
4. Try to switch to root through woo User Login
Woo@www.bkjia.com ~ $ Su-root login cannot be switched even if the password is entered correctly
Password:
Su: incorrect password
Woo@www.bkjia.com ~ $
2. Add a user to the Administrator and prohibit normal users from su to root.
6. Add users and add them to the Administrator group. Disable common users from su to root to install OpenSSH/OpenSSL to enhance Remote Management Security.
Root@www.bkjia.com ~ # Useradd admin
Root@www.bkjia.com ~ # Passwd admin
Changing password for user admin.
New UNIX password:
Bad password: it is too short
Retype new UNIX password:
Passwd: all authentication tokens updated successfully.
Root@www.bkjia.com ~ # Usermod-G wheel admin (usermod-G wheel admin or usermod-G10 admin (10 is the ID of the wheel Group ))
Root@www.bkjia.com ~ # Su-admin
Admin@www.bkjia.com ~ $ Su-root
Password:
Root@www.bkjia.com ~ #
Method 1: The wheel group can also be specified as another group. edit/etc/pam. d/su and add the following two lines:
Root@www.bkjia.com ~ # Vi/etc/pam. d/su
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = wheel
Method 2: edit/etc/pam. d/su and remove the following line # symbol
Root@www.bkjia.com ~ # Vi/etc/pam. d/su
# RedHat # auth required/lib/security/$ ISA/pam_wheel.so use_uid locate this line and remove "#"
# CentOS5 # auth required pam_wheel.so use_uid locate this line and remove "#" at the beginning of the line.
# Save and exit ==============
Root@www.bkjia.com ~ # Echo "SU_WHEEL_ONLY yes">/etc/login. defs statement: add the statement to the end of the row.
(The actual test can be omitted)
This article permanently updates the link address: