Score:2

Ubuntu

How do you disable su?

bluesquare

3/30/23, 6:09 PM

I'm confused about su a bit. I just want to prevent users from using su across the board. Authorized users will have sudo access so they can be root if desired. We just want to completely disable su in any case.

This source has you uncomment and replace auth required pam_wheel.so with auth required pam_wheel.so use_uid from /etc/pam.d/su https://securitronlinux.com/bejiitaswrath/how-to-disable-the-su-to-root-in-linux-using-pam/ but the page says

This will require a user to login as root at a terminal to be able to use a root prompt.

so I'm concerned it will prevent users from using sudo -s

Also, we don't want users to be able to escape to root and then su into each other's accounts. I see in /etc/pam.d/su

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

Is it safe for me to comment this line? Will that finish achieving my objective without locking us all out?

193

0 + 0

sudo

pam

Nmath

3/30/23, 7:29 PM

1) Ubuntu does not have a root account so you cannot log in as root; 2) Any user with sudo privileges can do anything they want, including read/write/execute to other user's accounts

mook765

3/30/23, 7:41 PM

I don't understand why you worry about `su`. If someone uses `su` he will need to enter the password of the user he want to swich to, if he don't know this password he will not be able to swich to that user.

bluesquare

3/30/23, 9:37 PM

@Nmath There's no root account? How should I call this? root@MRHOSTMAN:~# id uid=0(root) gid=0(root) groups=0(root)

bluesquare

3/30/23, 9:39 PM

@mook765 Hi there was no password required to do this: root@MRHOSTMAN:~# su otherguy otherguy@MRHOSTMAN:/home/firstguy$

mook765

3/30/23, 10:11 PM

Only when you are root you can do it, not when you are an ordinary user.

Score:1

Ubuntu

pasman pasmański

3/30/23, 7:31 PM

In Ubuntu is used security model:

You cannot login as root - account has a password blocked.
Users can gain root permissions only via sudo. To do it they must be in sudo or admin group or direct in sudo config files.

So if you want that users can't use su, remove them from sudo and admin groups. If they can do some admin tasks, then better add them to the group myadmins and configure permissions of group myadmins in sudoers config file.

0 + 0

Thomas Ward

3/30/23, 8:02 PM

This doesn't disable the use of `su` command - that command will still work, but unless they know the password for other users it won't help them. Just for cklarification because `sudo` or `admin` group removal won't stop `su` from still doing its functions - they just can't login to any account if there's locked PWs or if they don't know the PWs for the accounts they're attempting

pasman pasmański

3/30/23, 8:14 PM

`Su` is not disabled , because you may run commands working similar: `sudo sh` , `sudo bash` etc. Users in `sudo` group can anything, including repairing locked accounts. Users in 'myadmin` group may have strictly defined permissions. Other users have standard permissions.

Thomas Ward

3/30/23, 8:22 PM

Except you're now talking about two completely different things. OP is asking how to **disable `su`**, not disable sudo/admin login. Even if someone doesn't have sudo perms, they can still use `su` to login to other users on system.

pasman pasmański

3/30/23, 8:32 PM

Disabling `su` has no sense. If some user can use `su otheruser` because he knows password of otheruser, then he may logout and log in as otheruser.

bluesquare

3/30/23, 10:55 PM

@pasmanpasmański Im confused. I can log in as root... sudo -s and then Im root. How do you mean you cant log in as root? Also, I can currently su root and I thought I logged in as root (uid =0)

Nmath

3/30/23, 10:59 PM

Please review: https://askubuntu.com/q/687249

Nmath

3/30/23, 11:10 PM

Based on the wording of the question and the comments, it seems that OP is conflating `su` with `sudo` or root login or perhaps `sudo su` - If OP is actually wanting to only disable the use of `su`, I agree that it would be useless- 1) because you need a user's password to use it, and 2) if you have the users password you can just log in as that user anyway, rendering the `su` disablement completely ineffective

pasman pasmański

4/1/23, 6:00 AM

@Lojitech `sudo -s` works , because you are in `sudo` group. if you create a new user, he can't do `sudo -s`

bluesquare

4/1/23, 2:16 PM

@pasmanpasmański OK but as I said, authorized users will have sudo access. So I was hoping to find out if I can disable su the way I mentioned in my post, safely

Score:0

Ubuntu

bluesquare

4/1/23, 4:56 PM

Thanks to @pasmanpasmański and all the commenters and question answerers who really enhanced my understanding of Ubuntu.

To disable su on Ubuntu (and some redhat distros too actually), do exactly this:

Edit /etc/pam.d/su

Comment out auth required pam_wheel.so and add auth required pam_wheel.so use_uid below.

and comment out auth sufficient pam_rootok.so

(as per securitronlinux.com)

Then you can expect: No one, including root can su!

0 + 0

cbugra

10/27/23, 2:45 PM

Tried this one, indeed prompts for password of the account being logged into. This, however, might have a downside for copy-pasters like myself that it keeps one from logging in as root if root does not have a valid password (sudo is of no use here, as root is being kept from logging in as anyone by the line containing `pam_rootok.so` being commented out). Just a warning beforehand. This can be changed later on via simply `sudo passwd root`. or better `sudo vim /etc/pam.d/su`.