Restrict ‘su’ command – SUSE

By default all user has access to command “su”. This command allows login to other user from current shell. Of course they should know target user password. The problem is you cannot have control/log of users once they switched successfully. What happens if the user by chance able to switch as root?

Desired secure method to switch across user is restrict “su” command. Enforce them to use “sudo” instead.

Solution

The pam_wheel.so module made this possible. Only the users whoever member of “wheel” group are allowed to execute “su” command. Rest others will see PAM authentication failure message (Incorrect password).

Step1

Ensure pam_wheel.so is installed

#ls -l /lib/security/pam_wheel.so
(or)
#ls  -l /lib64/security/pam_wheel.so

If you do not found try updating pam package.

Step2

Insert this line at “auth” section of both /etc/pam.d/su and /etc/pam.d/su-l files.

 auth  required  pam_wheel.so  use_uid

At the end the file should look like as shown here.

#cat /etc/pam.d/su-l
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     required       pam_wheel.so use_uid
auth     include        common-auth
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so

Note

Appending the pam_wheel.so entry at last will not work. It should be placed above the “include common-auth” line.

Refer pam_wheel man page to know more about options supported by pam_wheel.so.

On Redhat the same above setting should work. But no need of /etc/pam.d/su-l file.

Step3

Don’t forget to add root user to wheel group. Since PAM blocks root as well from executing “su” command.

#usermod  -G wheel root

Replace wheel group

By default “wheel” group is used to grant access to “su” command. It can be changed to your own using “group” option of pam_wheel module.

auth  required  pam_wheel.so  use_uid group=uxadmins

This implies user’s part of “uxadmins” would be able to execute “su” command.

Test

sles5:~ # cat /etc/group |grep wheel

wheel:x:10:root

sles5:~ # su - sun

sun@sles5:~>

sun@sles5:~> exit

sun@sles5:~> su - sun

Password:

su: incorrect password

From above output understood user root able do “su” but other user “sun” cannot.