I'm confused about su a bit. I just want to prevent users from using su across the board. Authorized users will have sudo access so they can be root if desired. We just want to completely disable su in any case.
This source has you uncomment and replace auth required pam_wheel.so
with auth required pam_wheel.so use_uid
from /etc/pam.d/su
https://securitronlinux.com/bejiitaswrath/how-to-disable-the-su-to-root-in-linux-using-pam/
but the page says
This will require a user to login as root at a terminal to be able to use a root prompt.
so I'm concerned it will prevent users from using sudo -s
Also, we don't want users to be able to escape to root and then su into each other's accounts. I see in /etc/pam.d/su
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
Is it safe for me to comment this line? Will that finish achieving my objective without locking us all out?
su
. If someone usessu
he will need to enter the password of the user he want to swich to, if he don't know this password he will not be able to swich to that user. – mook765 Nov 30 '21 at 19:41