0

There are two users in ubuntu (let's call them user1 and user2). Currently, user1 can get access root access using the below commands:

user1@sai:~$ su
Password: 
root@sai:/home/user1#

However, I want to deny user1 from getting root access, and instead allow user2 to get root access through sudo when desired by modifying the Pam configuration file in /etc/pam.d/su file.

How can I do this?

manikanta
  • 433

1 Answers1

3

This is what /etc/sudoers does with the help of some groups.

By default, if a user is a member of group admin or group sudo, they'll have the ability to run commands as the root user. So, we can just remove the user from these two groups:

sudo gpasswd -d sudo user1
sudo gpasswd -d admin user1

Note that this will not take effect immediately. user1 must log out and back in for this change to take effect.

To give user2 access to root, you may add them to either of these groups. Personally, I prefer to add them to the sudo group, like so:

sudo usermod -aG sudo user2

Again, user2 needs to log out and back in for these settings to take effect.

Note, though, that it may be possible for user1 to have a record in the /etc/sudoers file, in which case you need to delete that record.

When editing /etc/sudoers, never edit it by hand! Instead, use the visudo command, which will validate that you're not going to accidentally break your config irreversibly. Execute this with the sudo visudo command.

Kaz Wolfe
  • 34,122
  • 21
  • 114
  • 172
  • how to do the same thing for su ? Same procedure or different ? – manikanta Mar 15 '17 at 06:19
  • su is a different beast entirely. Instead of using current user permissions, su uses the target user. Any user can theoretically run su, but only users that know root's (or whoever the target user is in the case of su <user>) password will be able to use it to escalate. – Kaz Wolfe Mar 15 '17 at 06:20