Differences between revisions 11 and 12
Revision 11 as of 2020-09-10 07:44:00
Size: 1054
Editor: ?RichardLewis
Comment:
Revision 12 as of 2020-09-19 13:49:28
Size: 1109
Editor: ?RichardLewis
Comment:
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
Set up the '''pam_wheel''' module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.

The root group will be checked if the wheel group does not exist, but it is not recommended to include non-root users in the root group.
Set up the '''pam_wheel''' module to restrict the execution of su to members of the wheel group. This involves editing /etc/pam.d/su and (generally) adding a wheel group. The root group will be used if the wheel group does not exist, but it is not recommended to include non-root users in the root group.
Line 21: Line 19:
That's all for the file and no user (other than root) can execute su anymore. This is the most secure configuration. Now no user (other than root, and anyone else in the root group) can execute su.
Line 41: Line 39:
From now '''user_name''' can execute su. Now '''user_name''' can execute su. Repeat the '''adduser''' call for other users if required.

Pam Wheel

Introduction

Set up the pam_wheel module to restrict the execution of su to members of the wheel group. This involves editing /etc/pam.d/su and (generally) adding a wheel group. The root group will be used if the wheel group does not exist, but it is not recommended to include non-root users in the root group.

Restrict the execution of su

With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':

auth required pam_wheel.so

Now no user (other than root, and anyone else in the root group) can execute su.

Allow a user to execute su

After having restricted the execution of su, create the group wheel with root privileges:

# addgroup --system wheel

And then add user_name to that group:

# adduser user_name wheel

Now user_name can execute su. Repeat the adduser call for other users if required.


CategorySystemAdministration | CategorySystemSecurity | CategoryRedundant: merge with ?Pam