search
HomeSystem TutorialLINUXHow To Restrict Su Command To Authorized Users In Linux

The su command is a powerful tool that can be used to switch to another user's account. However, it can also be used by bad persons to gain unauthorized access to your system. By restricting the use of the su command, you can help to protect your Linux system from unauthorized access.

Table of Contents

Introduction

In our previous tutorial, we learned how to "grant or deny sudo access to a group" in Linux to make things safer and manage groups better. However, this alone may not be enough.

If a bad person gains access to an account without sudo privileges, they can still try to login as root or another user with sudo privileges by using the su command. As you already know, the su command allows users to execute commands as other accounts, including the root account.

To address this concern, we need to ensure that only specific accounts have the privilege to use the su command. This extra step will add even more security to our system. In this brief tutorial, we will learn how to restrict the su command usage to authorized users in Linux.

Here are some of the reasons why you might want to restrict the use of the su command:

  • To prevent unauthorized users from gaining access to sensitive data.
  • To prevent unauthorized users from making changes to system settings.
  • To prevent unauthorized users from installing malicious software.

1. Restrict Su Command Usage to Particular Users in Debian and its Derivatives

To limit who can use su command, we need to create a dedicated group and allow only the members of that particular group can use su command. Let us see how to do that.

1. For the purpose of this guide, I am going to create two users namely user1 and user2.

$ sudo adduser user1
$ sudo adduser user2

2. Next, create a new group called adminmembers.

$ sudo groupadd adminmembers

3. Add the 'user1' and 'user2' to the group.

$ sudo usermod -aG adminmembers user1
$ sudo usermod -aG adminmembers user2

Similarly, add all other users to this group.

You can verify the members of this group using command:

$ getent group adminmembers

Sample output:

adminmembers:x:1005:user1,user2

4. Now, run the following command to restrict the su command to only the members of the 'adminmembers' group:

$ sudo dpkg-statoverride --update --add root adminmembers 4750 /bin/su

Here, the sudo dpkg-statoverride --update --add command is used to override file permissions and ownership for a specific file on a Debian-based Linux distribution. In this case, the command is setting a special permission and ownership for the /bin/su binary.

Let's break down the command:

  • sudo: This is used to run the command with superuser (root) privileges. You will need administrative privileges to modify system files.
  • dpkg-statoverride: This is a command-line tool in Debian-based systems that allows you to override file permissions and ownership of packages managed by the package manager.
  • --update: This option tells dpkg-statoverride to update the specified override if it already exists.
  • --add: This option indicates that we want to add a new override.
  • root: This specifies the user whose ownership will be set for the file.
  • adminmembers: This specifies the group whose ownership will be set for the file.
  • 4750: This is the numeric representation of the file permissions. The value 4750 is a special permission called "SetUID" (Set User ID) on execution. When the su binary has the SetUID bit set, it runs with the effective user ID of the file owner (root) instead of the user who executed it. This allows regular users to switch to the root user's privileges temporarily when running su.
  • /bin/su: This is the path to the file for which the override is being set. In this case, it's the /bin/su binary, which allows users to switch to another user's account (often the root user) after providing the necessary password.

So, the command is adding an override for the permissions and ownership of the /bin/su binary. It sets the file's owner to root, group to adminmembers, and gives the SetUID permission to the file. This means that when users run the su command, it will run with root privileges, allowing them to switch to the root user or another user with superuser privileges after providing the appropriate password. The non-members of the 'adminmembers' group can't use su command, even if they have sudo privilege.

Let us verify it. Right now, I'm logged into my system as a user named 'ostechnix', and this user has sudo privileges.

$ sudo -lU ostechnix
[sudo] password for ostechnix: 
Matching Defaults entries for ostechnix on debian12:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User ostechnix may run the following commands on debian12:
    <strong><mark>(ALL : ALL) ALL</mark></strong>

As you see in the above output, the user 'ostechnix' can able to run all commands.

Now, let use su command and see what happens.

$ su - user1

Sample output:

-bash: /usr/bin/su: Permission denied

See? The user 'ostechnix' can't use the su command despite having sudo privilege because he is not a member of the 'adminmembers' group. Because, we limited the su command usage to only the members of that specific group.

How To Restrict Su Command To Authorized Users In Linux

Now log out from the current session and log back in as 'user1' or 'user2' or any member of the 'adminmembers' group.

And, check if su command works:

user1@debian12:~$ whoami
user1
user1@debian12:~$ 
user1@debian12:~$ su - user2
Password: 
user2@debian12:~$ 
user2@debian12:~$ whoami
user2
user2@debian12:~$ 
user2@debian12:~$ su - user1
Password: 
user1@debian12:~$ 
user1@debian12:~$ whoami
user1
user1@debian12:~$ 

How To Restrict Su Command To Authorized Users In Linux

As you can observe in the above output, both 'user1' and 'user2' have the ability to switch between different user accounts using the su command because they are both members of the 'adminmembers' group.

1.1. Revert su Command to its Original Configuration

To undo the changes made by the command sudo dpkg-statoverride --update --add root adminmembers 4750 /bin/su, you need to remove the override that was set for the /bin/su binary. The dpkg-statoverride command allows you to manage file permissions and ownership for packages in Debian-based systems.

To remove the override for the /bin/su binary, follow these steps:

1. Check the current dpkg-statoverride configuration:

Before removing the override, it's a good idea to check if the override for /bin/su exists and what the current configuration is. Run the following command to view the current dpkg-statoverride settings:

$ dpkg-statoverride --list /bin/su

This command will show you the current permissions and ownership set for the /bin/su binary.

Sample output:

root adminmembers 4750 /bin/su

2. Remove the dpkg-statoverride entry:

To remove the override, use the following command:

$ sudo dpkg-statoverride --remove /bin/su

This command will remove the override entry for /bin/su.

3. Reset the original permissions (if needed):

If you want to reset the permissions of /bin/su to the default value, use the following command:

$ sudo chmod 4755 /bin/su

The 4755 value sets the SetUID bit on the file, which allows the su command to run with root privileges.

How To Restrict Su Command To Authorized Users In Linux

With these steps, you should have undone the changes made by the initial sudo dpkg-statoverride --update --add root adminmembers 4750 /bin/su command and reverted the /bin/su binary to its original configuration.

Warning: Always exercise caution when modifying system configurations, especially when dealing with file permissions and ownership, as improper changes can impact system security and stability.

2. Limit the Use of Su Command in RHEL-based Systems

The previous method is only for Debian and its derivatives like Ubuntu. The process of limiting su command usage in RPM-based is different. Let us see how to do that.

To limit the use of the su command in RHEL-based systems, follow these steps:

1. Create a new user (e.g., "user1") and add him to the "wheel" group:

$ sudo adduser user1
$ sudo passwd user1
$ sudo usermod -G wheel user1

This grants the user "user1" access to the su command through the "wheel" group, which is often configured to have special privileges.

2. Open the PAM configuration file for su using a text editor:

$ sudo nano /etc/pam.d/su

3. Append the following line at the end of the file or uncomment this line if it already exists:

auth required /lib/security/pam_wheel.so use_uid

Alternatively, you can uncomment or append this line:

auth required pam_wheel.so use_uid

4. Save the changes and close the file.

With these steps, the su command will be restricted, and only users belonging to the "wheel" group will be allowed to use it.

When you try to use su command from a non-member of wheel group, you would see an output like below:

[user3@Almalinux9ct ~]$ su - user1
Password: 
su: Module is unknown

How To Restrict Su Command To Authorized Users In Linux

To revert back to the original settings, simply comment or remove the line that you've added in the previous step.

Frequently Asked Questions

Q: What is the su command in Linux?

A: The su command, short for "switch user," allows users to execute commands as a different user, often the root user with superuser privileges.

Q: Why should I restrict the su command usage?

A: Restricting su command usage enhances security by limiting access to privileged operations, reducing the risk of unauthorized users gaining unrestricted control over the system.

Q: How can I limit the use of the su command?

A: You can limit su command usage by configuring the PAM (Pluggable Authentication Modules) file, allowing access only to specific groups or users, such as the "wheel" group.

Q: How do I grant access to su for a specific group?

A: Add the desired users to a designated group (e.g., "wheel") and configure the /etc/pam.d/su file to require this group membership for su command access.

Q: How can I check if the su command is appropriately restricted?

A: Use the su command with a non-privileged user to verify that access is limited only to authorized users or groups.

Conclusion

Restricting the usage of the su command in Linux is a vital step towards strengthening Linux system security and safeguarding sensitive information. By carefully controlling access to privileged commands, such as su, we can mitigate the risk of unauthorized users gaining elevated privileges and potentially compromising the system.

Implementing these restrictions, in conjunction with other security best practices, creates a more resilient and secure Linux environment.

Related Read:

  • How To Run Commands As Another User Via Sudo In Linux

The above is the detailed content of How To Restrict Su Command To Authorized Users In Linux. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Mastering Text Manipulation With the Sed CommandMastering Text Manipulation With the Sed CommandMar 16, 2025 am 09:48 AM

The Linux command line interface provides a wealth of text processing tools, one of the most powerful tools is the sed command. sed is the abbreviation of Stream EDitor, a multi-functional tool that allows complex processing of text files and streams. What is Sed? sed is a non-interactive text editor that operates on pipeline inputs or text files. By providing directives, you can let it modify and process text in a file or stream. The most common use cases of sed include selecting text, replacing text, modifying original files, adding lines to text, or removing lines from text. It can be used from the command line in Bash and other command line shells. Sed command syntax sed

Linux Kernel Source Code Surpasses 40 Million LinesLinux Kernel Source Code Surpasses 40 Million LinesMar 05, 2025 am 09:35 AM

Linux: The cornerstone of modern computing, from smartphones to supercomputers, can do everything. Over the years, the size and complexity of the Linux kernel has increased significantly. As of January 2025, the Linux kernel source code contains approximately 40 million lines of code! This is one of the greatest achievements in the history of open source, community-driven projects. This article will discuss the exponential growth of the number of lines in the Linux kernel source code, the reasons and how to check the current number of lines by yourself. Directory -Linux kernel history Count the number of lines of the Linux kernel source code only count C and header files Exponential trend of kernel growth Verify historical Linux kernel lines Summary Linux kernel history Since 1991 Linus Tor

Pilet: A Modular, Portable Mini-Computer Powered by Raspberry PiPilet: A Modular, Portable Mini-Computer Powered by Raspberry PiMar 06, 2025 am 10:11 AM

Discover Pilet: A Retro-Futuristic, Open-Source Mini-Computer Looking for a mini-computer that blends classic style with cutting-edge technology? Meet Pilet, a modular, open-source marvel powered by the Raspberry Pi 5. Boasting a 7-hour battery life

How To Count Files And Directories In Linux: A Beginner's GuideHow To Count Files And Directories In Linux: A Beginner's GuideMar 19, 2025 am 10:48 AM

Efficiently Counting Files and Folders in Linux: A Comprehensive Guide Knowing how to quickly count files and directories in Linux is crucial for system administrators and anyone managing large datasets. This guide demonstrates using simple command-l

The Secret Weapon to Supercharge Your Linux System With Liquorix KernelThe Secret Weapon to Supercharge Your Linux System With Liquorix KernelMar 08, 2025 pm 12:12 PM

Liquorix kernel: a powerful tool to improve Linux system performance Linux is known for its flexibility, security and high performance, becoming the operating system of choice for developers, system administrators, and advanced users. However, the universal Linux kernel is not always meeting the needs of users seeking maximum performance and responsiveness. This is where the Liquorix kernel comes into play—a performance-optimized alternative that promises to enhance your Linux system. This article will explore what the Liquorix kernel is, why you might want to use it, and how to install and configure it to get the most out of your system. Liquorix kernel detailed explanation Liquorix kernel is a precompiled Linux kernel designed for

System76 Introduces Meerkat Mini PC: Big Power in a Tiny PackageSystem76 Introduces Meerkat Mini PC: Big Power in a Tiny PackageMar 05, 2025 am 10:28 AM

The System76 Meerkat: A Mighty Mini PC Looking for a powerful yet space-saving computer? Meet the Meerkat mini PC from System76! This compact powerhouse is perfect for tidy desktops and demanding tasks. Table of Contents - Compact Design, Impressive

How To Add A User To Multiple Groups In LinuxHow To Add A User To Multiple Groups In LinuxMar 18, 2025 am 11:44 AM

Efficiently managing user accounts and group memberships is crucial for Linux/Unix system administration. This ensures proper resource and data access control. This tutorial details how to add a user to multiple groups in Linux and Unix systems. We

Building Your Own Ubuntu Personal Cloud: A Step-by-Step Guide to Creating a Secure Data HavenBuilding Your Own Ubuntu Personal Cloud: A Step-by-Step Guide to Creating a Secure Data HavenMar 05, 2025 am 11:02 AM

In today's digital age, data is not just information, but also a part of our lives. From photos and documents to sensitive personal information, our data represents our memories, work and interests. Although cloud storage services are widely available, they are often accompanied by privacy concerns, subscription fees, and customization restrictions. That's what building a personal cloud on Ubuntu is about as a powerful alternative, which gives you complete control over your data and the flexibility to customize and scale as needed. This guide will guide you to set up a Ubuntu-based personal cloud, use Nextcloud as the primary application, and ensure your settings are secure and reliable. Why build a personal cloud on Ubuntu? Ubuntu is the most popular Linux

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Dreamweaver Mac version

Dreamweaver Mac version

Visual web development tools

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!