search
HomeSystem TutorialLINUXHow To Restrict Su Command To Authorized Users In Linux

The su command is a powerful tool that can be used to switch to another user's account. However, it can also be used by bad persons to gain unauthorized access to your system. By restricting the use of the su command, you can help to protect your Linux system from unauthorized access.

Table of Contents

Introduction

In our previous tutorial, we learned how to "grant or deny sudo access to a group" in Linux to make things safer and manage groups better. However, this alone may not be enough.

If a bad person gains access to an account without sudo privileges, they can still try to login as root or another user with sudo privileges by using the su command. As you already know, the su command allows users to execute commands as other accounts, including the root account.

To address this concern, we need to ensure that only specific accounts have the privilege to use the su command. This extra step will add even more security to our system. In this brief tutorial, we will learn how to restrict the su command usage to authorized users in Linux.

Here are some of the reasons why you might want to restrict the use of the su command:

  • To prevent unauthorized users from gaining access to sensitive data.
  • To prevent unauthorized users from making changes to system settings.
  • To prevent unauthorized users from installing malicious software.

1. Restrict Su Command Usage to Particular Users in Debian and its Derivatives

To limit who can use su command, we need to create a dedicated group and allow only the members of that particular group can use su command. Let us see how to do that.

1. For the purpose of this guide, I am going to create two users namely user1 and user2.

$ sudo adduser user1
$ sudo adduser user2

2. Next, create a new group called adminmembers.

$ sudo groupadd adminmembers

3. Add the 'user1' and 'user2' to the group.

$ sudo usermod -aG adminmembers user1
$ sudo usermod -aG adminmembers user2

Similarly, add all other users to this group.

You can verify the members of this group using command:

$ getent group adminmembers

Sample output:

adminmembers:x:1005:user1,user2

4. Now, run the following command to restrict the su command to only the members of the 'adminmembers' group:

$ sudo dpkg-statoverride --update --add root adminmembers 4750 /bin/su

Here, the sudo dpkg-statoverride --update --add command is used to override file permissions and ownership for a specific file on a Debian-based Linux distribution. In this case, the command is setting a special permission and ownership for the /bin/su binary.

Let's break down the command:

  • sudo: This is used to run the command with superuser (root) privileges. You will need administrative privileges to modify system files.
  • dpkg-statoverride: This is a command-line tool in Debian-based systems that allows you to override file permissions and ownership of packages managed by the package manager.
  • --update: This option tells dpkg-statoverride to update the specified override if it already exists.
  • --add: This option indicates that we want to add a new override.
  • root: This specifies the user whose ownership will be set for the file.
  • adminmembers: This specifies the group whose ownership will be set for the file.
  • 4750: This is the numeric representation of the file permissions. The value 4750 is a special permission called "SetUID" (Set User ID) on execution. When the su binary has the SetUID bit set, it runs with the effective user ID of the file owner (root) instead of the user who executed it. This allows regular users to switch to the root user's privileges temporarily when running su.
  • /bin/su: This is the path to the file for which the override is being set. In this case, it's the /bin/su binary, which allows users to switch to another user's account (often the root user) after providing the necessary password.

So, the command is adding an override for the permissions and ownership of the /bin/su binary. It sets the file's owner to root, group to adminmembers, and gives the SetUID permission to the file. This means that when users run the su command, it will run with root privileges, allowing them to switch to the root user or another user with superuser privileges after providing the appropriate password. The non-members of the 'adminmembers' group can't use su command, even if they have sudo privilege.

Let us verify it. Right now, I'm logged into my system as a user named 'ostechnix', and this user has sudo privileges.

$ sudo -lU ostechnix
[sudo] password for ostechnix: 
Matching Defaults entries for ostechnix on debian12:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User ostechnix may run the following commands on debian12:
    <strong><mark>(ALL : ALL) ALL</mark></strong>

As you see in the above output, the user 'ostechnix' can able to run all commands.

Now, let use su command and see what happens.

$ su - user1

Sample output:

-bash: /usr/bin/su: Permission denied

See? The user 'ostechnix' can't use the su command despite having sudo privilege because he is not a member of the 'adminmembers' group. Because, we limited the su command usage to only the members of that specific group.

How To Restrict Su Command To Authorized Users In Linux

Now log out from the current session and log back in as 'user1' or 'user2' or any member of the 'adminmembers' group.

And, check if su command works:

user1@debian12:~$ whoami
user1
user1@debian12:~$ 
user1@debian12:~$ su - user2
Password: 
user2@debian12:~$ 
user2@debian12:~$ whoami
user2
user2@debian12:~$ 
user2@debian12:~$ su - user1
Password: 
user1@debian12:~$ 
user1@debian12:~$ whoami
user1
user1@debian12:~$ 

How To Restrict Su Command To Authorized Users In Linux

As you can observe in the above output, both 'user1' and 'user2' have the ability to switch between different user accounts using the su command because they are both members of the 'adminmembers' group.

1.1. Revert su Command to its Original Configuration

To undo the changes made by the command sudo dpkg-statoverride --update --add root adminmembers 4750 /bin/su, you need to remove the override that was set for the /bin/su binary. The dpkg-statoverride command allows you to manage file permissions and ownership for packages in Debian-based systems.

To remove the override for the /bin/su binary, follow these steps:

1. Check the current dpkg-statoverride configuration:

Before removing the override, it's a good idea to check if the override for /bin/su exists and what the current configuration is. Run the following command to view the current dpkg-statoverride settings:

$ dpkg-statoverride --list /bin/su

This command will show you the current permissions and ownership set for the /bin/su binary.

Sample output:

root adminmembers 4750 /bin/su

2. Remove the dpkg-statoverride entry:

To remove the override, use the following command:

$ sudo dpkg-statoverride --remove /bin/su

This command will remove the override entry for /bin/su.

3. Reset the original permissions (if needed):

If you want to reset the permissions of /bin/su to the default value, use the following command:

$ sudo chmod 4755 /bin/su

The 4755 value sets the SetUID bit on the file, which allows the su command to run with root privileges.

How To Restrict Su Command To Authorized Users In Linux

With these steps, you should have undone the changes made by the initial sudo dpkg-statoverride --update --add root adminmembers 4750 /bin/su command and reverted the /bin/su binary to its original configuration.

Warning: Always exercise caution when modifying system configurations, especially when dealing with file permissions and ownership, as improper changes can impact system security and stability.

2. Limit the Use of Su Command in RHEL-based Systems

The previous method is only for Debian and its derivatives like Ubuntu. The process of limiting su command usage in RPM-based is different. Let us see how to do that.

To limit the use of the su command in RHEL-based systems, follow these steps:

1. Create a new user (e.g., "user1") and add him to the "wheel" group:

$ sudo adduser user1
$ sudo passwd user1
$ sudo usermod -G wheel user1

This grants the user "user1" access to the su command through the "wheel" group, which is often configured to have special privileges.

2. Open the PAM configuration file for su using a text editor:

$ sudo nano /etc/pam.d/su

3. Append the following line at the end of the file or uncomment this line if it already exists:

auth required /lib/security/pam_wheel.so use_uid

Alternatively, you can uncomment or append this line:

auth required pam_wheel.so use_uid

4. Save the changes and close the file.

With these steps, the su command will be restricted, and only users belonging to the "wheel" group will be allowed to use it.

When you try to use su command from a non-member of wheel group, you would see an output like below:

[user3@Almalinux9ct ~]$ su - user1
Password: 
su: Module is unknown

How To Restrict Su Command To Authorized Users In Linux

To revert back to the original settings, simply comment or remove the line that you've added in the previous step.

Frequently Asked Questions

Q: What is the su command in Linux?

A: The su command, short for "switch user," allows users to execute commands as a different user, often the root user with superuser privileges.

Q: Why should I restrict the su command usage?

A: Restricting su command usage enhances security by limiting access to privileged operations, reducing the risk of unauthorized users gaining unrestricted control over the system.

Q: How can I limit the use of the su command?

A: You can limit su command usage by configuring the PAM (Pluggable Authentication Modules) file, allowing access only to specific groups or users, such as the "wheel" group.

Q: How do I grant access to su for a specific group?

A: Add the desired users to a designated group (e.g., "wheel") and configure the /etc/pam.d/su file to require this group membership for su command access.

Q: How can I check if the su command is appropriately restricted?

A: Use the su command with a non-privileged user to verify that access is limited only to authorized users or groups.

Conclusion

Restricting the usage of the su command in Linux is a vital step towards strengthening Linux system security and safeguarding sensitive information. By carefully controlling access to privileged commands, such as su, we can mitigate the risk of unauthorized users gaining elevated privileges and potentially compromising the system.

Implementing these restrictions, in conjunction with other security best practices, creates a more resilient and secure Linux environment.

Related Read:

  • How To Run Commands As Another User Via Sudo In Linux

The above is the detailed content of How To Restrict Su Command To Authorized Users In Linux. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
What is the salary of Linux administrator?What is the salary of Linux administrator?Apr 17, 2025 am 12:24 AM

The average annual salary of Linux administrators is $75,000 to $95,000 in the United States and €40,000 to €60,000 in Europe. To increase salary, you can: 1. Continuously learn new technologies, such as cloud computing and container technology; 2. Accumulate project experience and establish Portfolio; 3. Establish a professional network and expand your network.

What is the main purpose of Linux?What is the main purpose of Linux?Apr 16, 2025 am 12:19 AM

The main uses of Linux include: 1. Server operating system, 2. Embedded system, 3. Desktop operating system, 4. Development and testing environment. Linux excels in these areas, providing stability, security and efficient development tools.

Does the internet run on Linux?Does the internet run on Linux?Apr 14, 2025 am 12:03 AM

The Internet does not rely on a single operating system, but Linux plays an important role in it. Linux is widely used in servers and network devices and is popular for its stability, security and scalability.

What are Linux operations?What are Linux operations?Apr 13, 2025 am 12:20 AM

The core of the Linux operating system is its command line interface, which can perform various operations through the command line. 1. File and directory operations use ls, cd, mkdir, rm and other commands to manage files and directories. 2. User and permission management ensures system security and resource allocation through useradd, passwd, chmod and other commands. 3. Process management uses ps, kill and other commands to monitor and control system processes. 4. Network operations include ping, ifconfig, ssh and other commands to configure and manage network connections. 5. System monitoring and maintenance use commands such as top, df, du to understand the system's operating status and resource usage.

Boost Productivity with Custom Command Shortcuts Using Linux AliasesBoost Productivity with Custom Command Shortcuts Using Linux AliasesApr 12, 2025 am 11:43 AM

Introduction Linux is a powerful operating system favored by developers, system administrators, and power users due to its flexibility and efficiency. However, frequently using long and complex commands can be tedious and er

What is Linux actually good for?What is Linux actually good for?Apr 12, 2025 am 12:20 AM

Linux is suitable for servers, development environments, and embedded systems. 1. As a server operating system, Linux is stable and efficient, and is often used to deploy high-concurrency applications. 2. As a development environment, Linux provides efficient command line tools and package management systems to improve development efficiency. 3. In embedded systems, Linux is lightweight and customizable, suitable for environments with limited resources.

Essential Tools and Frameworks for Mastering Ethical Hacking on LinuxEssential Tools and Frameworks for Mastering Ethical Hacking on LinuxApr 11, 2025 am 09:11 AM

Introduction: Securing the Digital Frontier with Linux-Based Ethical Hacking In our increasingly interconnected world, cybersecurity is paramount. Ethical hacking and penetration testing are vital for proactively identifying and mitigating vulnerabi

How to learn Linux basics?How to learn Linux basics?Apr 10, 2025 am 09:32 AM

The methods for basic Linux learning from scratch include: 1. Understand the file system and command line interface, 2. Master basic commands such as ls, cd, mkdir, 3. Learn file operations, such as creating and editing files, 4. Explore advanced usage such as pipelines and grep commands, 5. Master debugging skills and performance optimization, 6. Continuously improve skills through practice and exploration.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Best Graphic Settings
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. How to Fix Audio if You Can't Hear Anyone
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Chat Commands and How to Use Them
1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Atom editor mac version download

Atom editor mac version download

The most popular open source editor

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)