How do you disable su?

Question

I'm confused about su a bit. I just want to prevent users from using su across the board. Authorized users will have sudo access so they can be root if desired. We just want to completely disable su in any case.

This source has you uncomment and replace auth required pam_wheel.so with auth required pam_wheel.so use_uid from /etc/pam.d/su https://securitronlinux.com/bejiitaswrath/how-to-disable-the-su-to-root-in-linux-using-pam/ but the page says

This will require a user to login as root at a terminal to be able to use a root prompt.

so I'm concerned it will prevent users from using sudo -s

Also, we don't want users to be able to escape to root and then su into each other's accounts. I see in /etc/pam.d/su

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

Is it safe for me to comment this line? Will that finish achieving my objective without locking us all out?

I don't understand why you worry about su. If someone uses su he will need to enter the password of the user he want to swich to, if he don't know this password he will not be able to swich to that user. — mook765, Nov 30 '21 at 19:41
@Nmath There's no root account? How should I call this? root@MRHOSTMAN:~# id uid=0(root) gid=0(root) groups=0(root) — bluesquare, Nov 30 '21 at 21:37
@mook765 Hi there was no password required to do this: root@MRHOSTMAN:~# su otherguy otherguy@MRHOSTMAN:/home/firstguy$ — bluesquare, Nov 30 '21 at 21:39
Only when you are root you can do it, not when you are an ordinary user. — mook765, Nov 30 '21 at 22:11

score 2 · Accepted Answer · answered Dec 01 '21 at 16:56

2

Thanks to @pasmanpasmański and all the commenters and question answerers who really enhanced my understanding of Ubuntu.

To disable su on Ubuntu (and some redhat distros too actually), do exactly this:

Edit /etc/pam.d/su

Comment out auth required pam_wheel.so and add auth required pam_wheel.so use_uid below.

and comment out auth sufficient pam_rootok.so

(as per securitronlinux.com)

Then you can expect: No one, including root can su!

answered Dec 01 '21 at 16:56

bluesquare

169

Tried this one, indeed prompts for password of the account being logged into. This, however, might have a downside for copy-pasters like myself that it keeps one from logging in as root if root does not have a valid password (sudo is of no use here, as root is being kept from logging in as anyone by the line containing pam_rootok.so being commented out). Just a warning beforehand. This can be changed later on via simply sudo passwd root. or better sudo vim /etc/pam.d/su. – cbugk Oct 27 '22 at 14:45

pasman pasmański · Answer 2 · 2021-11-30T20:21:18.357

1

In Ubuntu is used security model:

You cannot login as root - account has a password blocked.
Users can gain root permissions only via sudo. To do it they must be in sudo or admin group or direct in sudo config files.

So if you want that users can't use su, remove them from sudo and admin groups. If they can do some admin tasks, then better add them to the group myadmins and configure permissions of group myadmins in sudoers config file.

edited Nov 30 '21 at 20:21

answered Nov 30 '21 at 19:31

pasman pasmański

1,897

1

This doesn't disable the use of su command - that command will still work, but unless they know the password for other users it won't help them. Just for cklarification because sudo or admin group removal won't stop su from still doing its functions - they just can't login to any account if there's locked PWs or if they don't know the PWs for the accounts they're attempting – Thomas Ward Nov 30 '21 at 20:02
Su is not disabled , because you may run commands working similar: sudo sh , sudo bash etc. Users in sudo group can anything, including repairing locked accounts. Users in 'myadmin` group may have strictly defined permissions. Other users have standard permissions. – pasman pasmański Nov 30 '21 at 20:14
1

Except you're now talking about two completely different things. OP is asking how to disable su, not disable sudo/admin login. Even if someone doesn't have sudo perms, they can still use su to login to other users on system. – Thomas Ward Nov 30 '21 at 20:22
1

Disabling su has no sense. If some user can use su otheruser because he knows password of otheruser, then he may logout and log in as otheruser. – pasman pasmański Nov 30 '21 at 20:32
@pasmanpasmański Im confused. I can log in as root... sudo -s and then Im root. How do you mean you cant log in as root? Also, I can currently su root and I thought I logged in as root (uid =0) – bluesquare Nov 30 '21 at 22:55
Please review: https://askubuntu.com/q/687249 – Nmath Nov 30 '21 at 22:59
Based on the wording of the question and the comments, it seems that OP is conflating su with sudo or root login or perhaps sudo su - If OP is actually wanting to only disable the use of su, I agree that it would be useless- 1) because you need a user's password to use it, and 2) if you have the users password you can just log in as that user anyway, rendering the su disablement completely ineffective – Nmath Nov 30 '21 at 23:10
@Lojitech sudo -s works , because you are in sudo group. if you create a new user, he can't do sudo -s – pasman pasmański Dec 01 '21 at 06:00
@pasmanpasmański OK but as I said, authorized users will have sudo access. So I was hoping to find out if I can disable su the way I mentioned in my post, safely – bluesquare Dec 01 '21 at 14:16

How do you disable su?

2 Answers2