By default all user has access to command “su”. This command allows login to other user from current shell. Of course they should know target user password. The problem is you cannot have control/log of users once they switched successfully. What happens if the user by chance able to switch as root?
Desired secure method to switch across user is restrict “su” command. Enforce them to use “sudo” instead.
The pam_wheel.so module made this possible. Only the users whoever member of “wheel” group are allowed to execute “su” command. Rest others will see PAM authentication failure message (Incorrect password).
Ensure pam_wheel.so is installed
#ls -l /lib/security/pam_wheel.so (or) #ls -l /lib64/security/pam_wheel.so
If you do not found try updating pam package.
Insert this line at “auth” section of both /etc/pam.d/su and /etc/pam.d/su-l files.
auth required pam_wheel.so use_uid
At the end the file should look like as shown here.
#cat /etc/pam.d/su-l #%PAM-1.0 auth sufficient pam_rootok.so auth required pam_wheel.so use_uid auth include common-auth account sufficient pam_rootok.so account include common-account password include common-password session include common-session session optional pam_xauth.so
Appending the pam_wheel.so entry at last will not work. It should be placed above the “include common-auth” line.
Refer pam_wheel man page to know more about options supported by pam_wheel.so.
On Redhat the same above setting should work. But no need of /etc/pam.d/su-l file.
Don’t forget to add root user to wheel group. Since PAM blocks root as well from executing “su” command.
#usermod -G wheel root
Replace wheel group
By default “wheel” group is used to grant access to “su” command. It can be changed to your own using “group” option of pam_wheel module.
auth required pam_wheel.so use_uid group=uxadmins
This implies user’s part of “uxadmins” would be able to execute “su” command.
sles5:~ # cat /etc/group |grep wheel wheel:x:10:root sles5:~ # su - sun sun@sles5:~> sun@sles5:~> exit sun@sles5:~> su - sun Password: su: incorrect password
From above output understood user root able do “su” but other user “sun” cannot.