Limit su Access to the Root Account

1. Ensure that the group wheel exists, and that the usernames of all administrators who should be allowed
to execute commands as root are members of that group.
# grep ^wheel /etc/group
2. Edit the file /etc/pam.d/su. Add, uncomment, or correct the line:
auth required use_uid

The su command allows a user to gain the privileges of another user by entering the password for that user’s account. It is desirable to restrict the root user so that only known administrators are ever allowed to access the root account.
This restricts password-guessing against the root account by unauthorized users or by accounts which have been compromised.
By convention, the group wheel contains all users who are allowed to run privileged commands.The PAM module pam is used to restrict root access to this set of users.

Leave a Reply