Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 5. General System SecurityNext

5.14. Blocking; su to root, by one and sundry

The su Substitute User command allows you to become other existing users on the system. For example you can temporarily become root and execute commands as the super-user root. If you don't want anyone to su to root or restrict su command to certain users then add the following two lines to the top of your su configuration file in the /etc/pam.d/ directory. We highly recommend that you limit the person allowed to su to the root account.

  1. Edit the su file vi /etc/pam.d/su and add the following two lines to the top of the file: 
                   auth sufficient /lib/security/pam_rootok.so debug
               auth required /lib/security/pam_wheel.so group=wheel
    After adding the two lines above, the /etc/pam.d/su file should look like this: 
                   #%PAM-1.0
               auth	      sufficient   	/lib/security/pam_rootok.so debug
               auth             required    	/lib/security/pam_wheel.so group=wheel
               auth       	required     	/lib/security/pam_pwdb.so shadow nullok
               account    	required     	/lib/security/pam_pwdb.so
               password   	required     	/lib/security/pam_cracklib.so
               password   	required     	/lib/security/pam_pwdb.so shadow use_authtok nullok
               session    	required     	/lib/security/pam_pwdb.so
               session    	optional     	/lib/security/pam_xauth.so
    Which mean only those who are a member of the wheel group can su to root; it also includes logging. Note that the wheel group is a special account on your system that can be used for this purpose. You cannot use any group name you want to make this hack. This hack combined with specifying which TTY devices root is allowed to login on will improve your security a lot on the system.

  2. Now that we have defined the wheel group in our /etc/pam.d/su file configuration, it is time to add some users allowed to su to root account. If you want to make, for example, the user admin a member of the wheel group, and thus be able to su to root, use the following command: 
                   [root@deep] /# usermod -G10 admin

    • Which means G is a list of supplementary groups,

    • Where the user is also a member of, 10 is the numeric value of the user's ID wheel,

    • admin is the user we want to add to wheel group.

    Use the same command above for all users on your system you want to be able to su to root account. If you can't su in a GNOME terminal, it's because you've used the wrong terminal. So don't think that this advice simply doesn't work because of a terminal problem!.

PrevHomeNext
Special accountsUpPut limits on resource
  
 
  Published under the terms of the Open Publication License Design by Interspire