The su (Substitute User) command allows you to become other existing users on the system. For example you can temporarily become ‘root’ and execute commands as the super-user ‘root’. Step 1
If you don’t want anyone to su to root or want to restrict the su command to certain users then uncomment the following line of your su configuration file in the /etc/pam.d directory. We highly recommend that you limit the persons allowed to su to the root account.
• Edit the su file (vi /etc/pam.d/su) and uncomment the following line in the file:
auth required /lib/security/pam_wheel.so use_uid
After this line has been uncommented, the /etc/pam.d/su file should look like this: #%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so
Which means only those who are members of the “wheel” group can su to root; it also includes logging. Note that the “wheel” group is a special account on your system that can be used for this purpose. You cannot use any group name you want to make this hack. This hack combined with specifying which TTY and VC devices super-user root is allowed to login on will improve your security a lot on the system.
Step 2
Now that we have defined the “wheel” group in our /etc/pam.d/su file configuration, it is time to add some users who will be allowed to su to super-user “root” account.
• If you want to make, for example, the user “admin” a member of the “wheel” group, and thus be able to su to root, use the following command:
[root@deep /]# usermod -G10 admin
Which means “G” is a list of supplementary groups, where the user is also a member of. “10” is the numeric value of the user’s ID “wheel”, and “admin” is the user we want to add to the “wheel” group. Use the same command above for all users on your system you want to be able to su to super-user “root” account.
NOTE: For Linux users, who use the Xwindow interface, it is important to note that if you can't su in a GNOME terminal, it’s because you’ve used the wrong terminal. (So don't think that this advice doesn't work simply because of a GNOME terminal problem!)
Facultative:
A special line exists in the su file /etc/pam.d/su which allows you to implicitly trust users in the “wheel” group (for security reasons, I don’t recommend using this option). This mean that all users who are members of the “wheel” group can su to root without the need to enter the super-user “root” password.
• To allow users who are members of the “wheel” group to su to root account without the need to enter the “root” password, edit the su file (vi /etc/pam.d/su) and
uncomment the following line in the file:
auth sufficient /lib/security/pam_wheel.so trust use_uid
After this line has been uncommented, the /etc/pam.d/su file should look like this: #%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth sufficient /lib/security/pam_wheel.so trust use_uid
auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so
Using sudo instead of su for logging as super-user
There is a security tool called “sudo” that we discuss into this book. This security software allow us to archive the same result as using the su command to get root privilege on the server but in a more secure and informative way. With sudo installed in our server, we can get information about who is connected as super-user root as well as many other useful features. Please see the chapter related to this security program into this book for more information about sudo. If you want to use sudo to allow and control which is allowed to logging as super-user root on your server, then you no longer need to use the su command of Linux to archive this task and we can remove the SUID bit on this command to completely disable su and use sudo.
This let us remove one more SUID bit on our secure server and have a more complete and powerful security software to control access to super-user root. This is the method I highly recommend you to use instead of the su command of Linux.
Step 1
To archive this result, we have to remove the SUID bit of the su command and install the sudo security software as explained further down in this book. This also implies that we don’t need to modify the above su configuration file on our system. To recap, all we need to do is to remove the SUID bit on the su command, and install sudo in our server.
• To remove the SUID bit on the su binary, use the following command: