1054
Comment:
|
← Revision 12 as of 2020-09-19 13:49:28 ⇥
1109
|
Deletions are marked like this. | Additions are marked like this. |
Line 7: | Line 7: |
Set up the '''pam_wheel''' module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group. The root group will be checked if the wheel group does not exist, but it is not recommended to include non-root users in the root group. |
Set up the '''pam_wheel''' module to restrict the execution of su to members of the wheel group. This involves editing /etc/pam.d/su and (generally) adding a wheel group. The root group will be used if the wheel group does not exist, but it is not recommended to include non-root users in the root group. |
Line 21: | Line 19: |
That's all for the file and no user (other than root) can execute su anymore. This is the most secure configuration. | Now no user (other than root, and anyone else in the root group) can execute su. |
Line 41: | Line 39: |
From now '''user_name''' can execute su. | Now '''user_name''' can execute su. Repeat the '''adduser''' call for other users if required. |
Pam Wheel
Introduction
Set up the pam_wheel module to restrict the execution of su to members of the wheel group. This involves editing /etc/pam.d/su and (generally) adding a wheel group. The root group will be used if the wheel group does not exist, but it is not recommended to include non-root users in the root group.
Restrict the execution of su
With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':
auth required pam_wheel.so
Now no user (other than root, and anyone else in the root group) can execute su.
Allow a user to execute su
After having restricted the execution of su, create the group wheel with root privileges:
# addgroup --system wheel
And then add user_name to that group:
# adduser user_name wheel
Now user_name can execute su. Repeat the adduser call for other users if required.
CategorySystemAdministration | CategorySystemSecurity | CategoryRedundant: merge with ?Pam