|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide|
|Prev||Chapter 5. General System Security||Next|
The su Substitute User command allows you to become other existing users on the system. For example you can temporarily become root and execute commands as the super-user root. If you don't want anyone to su to root or restrict su command to certain users then add the following two lines to the top of your su configuration file in the /etc/pam.d/ directory. We highly recommend that you limit the person allowed to su to the root account.
Edit the su file vi /etc/pam.d/su and add the following two lines to the top of the file:
auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=wheel
#%PAM-1.0 auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=wheel auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow use_authtok nullok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_xauth.so
Now that we have defined the wheel group in our /etc/pam.d/su file configuration, it is time to add some users allowed to su to root account. If you want to make, for example, the user admin a member of the wheel group, and thus be able to su to root, use the following command:
[root@deep] /# usermod -G10 admin
Which means G is a list of supplementary groups,
Where the user is also a member of, 10 is the numeric value of the user's ID wheel,
admin is the user we want to add to wheel group.