4

I'm confused about su a bit. I just want to prevent users from using su across the board. Authorized users will have sudo access so they can be root if desired. We just want to completely disable su in any case.

This source has you uncomment and replace auth required pam_wheel.so with auth required pam_wheel.so use_uid from /etc/pam.d/su https://securitronlinux.com/bejiitaswrath/how-to-disable-the-su-to-root-in-linux-using-pam/ but the page says

This will require a user to login as root at a terminal to be able to use a root prompt.

so I'm concerned it will prevent users from using sudo -s

Also, we don't want users to be able to escape to root and then su into each other's accounts. I see in /etc/pam.d/su

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

Is it safe for me to comment this line? Will that finish achieving my objective without locking us all out?

  • 1
  • Ubuntu does not have a root account so you cannot log in as root; 2) Any user with sudo privileges can do anything they want, including read/write/execute to other user's accounts
  • – Nmath Nov 30 '21 at 19:29
  • 1
    I don't understand why you worry about su. If someone uses su he will need to enter the password of the user he want to swich to, if he don't know this password he will not be able to swich to that user. – mook765 Nov 30 '21 at 19:41
  • @Nmath There's no root account? How should I call this? root@MRHOSTMAN:~# id uid=0(root) gid=0(root) groups=0(root) – bluesquare Nov 30 '21 at 21:37
  • @mook765 Hi there was no password required to do this: root@MRHOSTMAN:~# su otherguy otherguy@MRHOSTMAN:/home/firstguy$ – bluesquare Nov 30 '21 at 21:39
  • Only when you are root you can do it, not when you are an ordinary user. – mook765 Nov 30 '21 at 22:11