Linux Security: Control access to the su command

By default, all users on a Linux distribution can use the su (switch user) command to become another user during a login session. If no username is given, su defaults to becoming the super user. While on other UNIX systems, one must be in the wheel group in order to access the su command.

This tutorial will show you how to restrict the use of su command on Linux so that only users in the wheel group have access to it.

The wheel group is a special user group on Unix-like systems to restrict access to su command. The term wheel comes from the archiaic slang phrase “big wheel” which means an important and influential person.

Edit /etc/pam.d/su config file:

sudo vi /etc/pam.d/su

add the following line:

auth required /lib/security/pam_wheel.so use_uid

or

auth required pam_wheel.so use_uid

Save and close the file.

Now when a user that is not in the wheel group try to use su command, he/she will get a permission denied error, even if the password is typed correctly.

If you want to add a user to the wheel group, use the following command:

sudo usermod -G wheel username

Use the id command to check if the user is in the wheel group

id username
Rate this tutorial
[Total: 4 Average: 4]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here