Restrict ‘su’ command – SUSE

By default all user has access to command “su”. This command allows login to other user from current shell. Of course they should know target user password. The problem is you cannot have control/log of users once they switched successfully. What happens if the user by chance able to switch as root?

Desired secure method to switch across user is restrict “su” command. Enforce them to use “sudo” instead.


The module made this possible. Only the users whoever member of “wheel” group are allowed to execute “su” command. Rest others will see PAM authentication failure message (Incorrect password).


Ensure is installed

#ls -l /lib/security/
#ls  -l /lib64/security/

If you do not found try updating pam package.


Insert this line at “auth” section of both /etc/pam.d/su and /etc/pam.d/su-l files.

 auth  required  use_uid

At the end the file should look like as shown here.

#cat /etc/pam.d/su-l
auth     sufficient
auth     required use_uid
auth     include        common-auth
account  sufficient
account  include        common-account
password include        common-password
session  include        common-session
session  optional


Appending the entry at last will not work. It should be placed above the “include common-auth” line.

Refer pam_wheel man page to know more about options supported by

On Redhat the same above setting should work. But no need of /etc/pam.d/su-l file.


Don’t forget to add root user to wheel group. Since PAM blocks root as well from executing “su” command.

#usermod  -G wheel root

Replace wheel group

By default “wheel” group is used to grant access to “su” command. It can be changed to your own using “group” option of pam_wheel module.

auth  required  use_uid group=uxadmins

This implies user’s part of “uxadmins” would be able to execute “su” command.


sles5:~ # cat /etc/group |grep wheel


sles5:~ # su - sun


sun@sles5:~> exit

sun@sles5:~> su - sun


su: incorrect password

From above output understood user root able do “su” but other user “sun” cannot.