How to Disable ‘su’ Access for Sudo Users

The su commandIt is a special Linux command that allows the execution of a command as another user or group. It allows you switch to the root account (if it is run without any arguments) and another specified user account.

All users are automatically allowed to access the site. Su command. You can also disable su access for a user, or group of users, as a system administrator by using the sudoersFile as described below.

The sudoers fileThe drives sudo security policy plugin which determines a user’s sudo privileges. The sudo commandAllows users to run programs with security privileges granted by another user (by default, as root user).

A user can use the Run command to switch to another account. SuAs shown, they can use their current login session to send the command. In this example the user aaronkSwitching to a testuser account. The user aaronkThe password for your testuser account will be required.

$ su testuser
Switch to Different User
Switch to a different user

To switch to root account, a user must either have root password access or be able to invoke sudo. This means that the user must be present in the sudoers folder. In this example, user aaronk(A sudo user) switches to root.

 

After invoking sudoThe user aaronk is prompted to enter his or her password, if it’s valid, the user is granted access to an interactive shell as root:

$ sudo su
Switch to Root User
Switch to root user

Disable Su Access for a Sudo User

To disable suAccess for a sudo user, for example, the aaronkuser above, first back up the original sudoers.file located at /etc/sudoersThese are the details:

$ sudo cp /etc/sudoers /etc/sudoers.bak

The following command will open the sudoers files. Note that it’s not recommended to edit the sudoers file by hand, always use the visudo command:

 
$ sudo visudo

The section of command aliasesCreate the following alias

Cmnd_Alias DISABLE_SU = /bin/su

Then, add the following line at end of file, and replace username aaronkYou must specify the user you wish not to disable SuAccess for:

aaronk ALL=(ALL) NOPASSWD: ALL, !DISABLE_SU

Close the file.

Next, test the setup to confirm that it is working as expected. The system should return an error message like this: “Sorry, user aaronk is not allowed to execute ‘/bin/su’ as root on tecmint.”.

$ sudo su
Disable Su Access to Sudo User
Disable Su Access for Sudo User

Disable su Access for a group of Sudo Users

You can also disable SuAccess for a small group of sudo users. For example to disable suAccess for all users of the group adminModify the line as follows:

%admin ALL= (ALL)

This:

%admin ALL=(ALL) ALL, !DISABLE_SU

Save the file, then close it.

To add a new user to the adminRun the group usermod command(Replace username with actual user)

$ sudo usermod -aG  admin  username

For more information on the su, sudoAnd sudoersYou can check their man pages here:

$ man su
$ man sudo
$ man sudeors

Leave a Reply

Your email address will not be published.