Differences between revisions 6 and 7
Revision 6 as of 2014-06-18 14:37:24
Size: 908
Editor: MarioBar
Revision 7 as of 2014-08-17 14:35:11
Size: 909
Editor: MichaelSmall
Comment: usermod -G alone, without -a, will remove the user from other groups.
Deletions are marked like this. Additions are marked like this.
Line 37: Line 37:
# usermod -G wheel user_name # usermod -aG wheel user_name

Pam Wheel


Set up the pam_wheel module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.

The root group will be checked if the wheel group does not exist, but it is recommended to leave that group to root alone.

Restrict the execution of su

With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':

#auth       required pam_wheel.so

That's all for the file and no user can execute su anymore. This is the most secure configuration.

Allow a user to execute su

After having restricted the execution of su, create the group wheel with root privileges:

# groupadd wheel

And then add user_name to that group:

# usermod -aG wheel user_name

From now user_name can execute su.