HPE Community
Operating System - Linux
1827807 Members
2200 Online
109969 Solutions
New Discussion

How to prevent su to root?

 
joseph wholey
Regular Advisor

‎03-21-2006 05:06 AM

‎03-21-2006 05:06 AM

How to prevent su to root?

I've installed sudo and sudoscripting on my RHEL AS3 implementation. I would now like to prevent everyone from su"ing" to the root user. I'd prefer that all use the "ss -u root" command as it will provide a much better audit trail. Can anyone point me in the direction of how I can prevent su to root. Thanks
0 Kudos
Reply
3 REPLIES 3
Sergejs Svitnevs
Honored Contributor

‎03-21-2006 06:03 AM

‎03-21-2006 06:03 AM

Re: How to prevent su to root?

Edit the su file (vi /etc/pam.d/su) and add the following line to the top of the file:
auth required /lib/security/Pam_wheel.so group=wheel

Which means only members of the "wheel" group can su to root. You can add the users to the group wheel so that only those users will be allowed to su as root.

Regards
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎03-21-2006 06:04 AM

‎03-21-2006 06:04 AM

Re: How to prevent su to root?

Nobody that does not know the root password wont be able to su to root using the su command. You can also restrict further by using pam_wheel.so module. Edit /etc/pam.d/su:

auth required /lib/security/$ISA/pam_wheel.so use_uid

Only members of the wheel group will be able to use su.

To avoid su to root using sudo, configure something like this:

SUCMD = !/usr/bin/su*root*, /usr/bin/su
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-21-2006 09:05 AM

‎03-21-2006 09:05 AM

Re: How to prevent su to root?

Shalom,

The pam file above can be used to preven root from using su to other users without password authentication.

That's the best you can do.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.