Article Categories
- All Categories
-
Data Structure
-
Networking
-
RDBMS
-
Operating System
-
Java
-
MS Excel
-
iOS
-
HTML
-
CSS
-
Android
-
Python
-
C Programming
-
C++
-
C#
-
MongoDB
-
MySQL
-
Javascript
-
PHP
-
Economics & Finance
How to Disable “su” Access for Sudo Users?
System security requires careful management of root access, especially in multi-user environments. The su command allows users to switch accounts and potentially gain root privileges, which can pose security risks when combined with sudo access. This guide explains how to disable su access for sudo users to enhance system security.
Understanding Sudo and Su Commands
The sudo command allows authorized users to execute administrative tasks with elevated privileges by entering their own password rather than the root password. It provides controlled, temporary access to root-level functions while maintaining an audit trail of executed commands.
The su command (substitute user) enables switching from one user account to another, including switching to the root account. Unlike sudo, su typically requires the target user's password and provides unrestricted access once authenticated.
| Feature | sudo | su |
|---|---|---|
| Password Required | User's own password | Target user's password |
| Access Level | Controlled/specific commands | Full shell access |
| Audit Trail | Yes (logged) | Limited |
| Session Duration | Single command or timed session | Until manually exited |
Security Risks of Su Access for Sudo Users
Unauthorized Root Access
When sudo users retain su access, they can potentially bypass sudo's controlled environment and gain unrestricted root privileges. This creates several security vulnerabilities:
Privilege escalation Attackers can use compromised sudo accounts to gain full root access
Audit bypass Actions performed through
sumay not be logged as comprehensively as sudo commandsPolicy circumvention Users can bypass sudo restrictions and time limits
Multi-User Environment Risks
In environments with multiple privileged users, unrestricted su access can lead to conflicts and accountability issues. It becomes difficult to track which user performed specific administrative actions, potentially causing system instability or security breaches.
How to Disable Su Access for Sudo Users
Method 1: Modifying PAM Configuration
Step 1 Open Terminal
Launch your terminal application using Ctrl+Alt+T or through your system's application menu.
Step 2 Edit PAM Configuration File
Open the PAM configuration file for su using a text editor:
sudo nano /etc/pam.d/su
Step 3 Modify Authentication Rules
Locate and comment out the following line by adding a # at the beginning:
# auth sufficient pam_rootok.so
Then add this line to require group membership for su access:
auth required pam_wheel.so use_uid
Step 4 Save and Exit
Save the file using Ctrl+X, then Y, then Enter if using nano.
Method 2: Group-Based Restriction
Create a restricted group that cannot use su while maintaining sudo privileges:
sudo groupadd nosu sudo usermod -a -G nosu username
Then modify /etc/pam.d/su to deny access for this group:
auth required pam_wheel.so deny group=nosu
Verification and Testing
After implementing the changes, test the configuration:
su -
The command should now fail for sudo users who are not in the wheel group. Verify that sudo functionality remains intact:
sudo whoami
Best Practices
Regular auditing Monitor sudo and authentication logs regularly
Principle of least privilege Grant only necessary permissions to users
Multi-layered security Combine su restrictions with strong passwords and regular updates
Documentation Maintain records of which users have administrative access
Conclusion
Disabling su access for sudo users significantly improves system security by preventing privilege escalation and maintaining better audit control. By modifying PAM configurations and implementing group-based restrictions, administrators can create a more secure environment while preserving necessary administrative functionality through sudo.
5K+ Views
