Summary of methods for restricting user su-permissions in Linux system

The su-command under Linux is mainly used to completely switch to a user environment, and this command is usually available to all users, so if you want to limit the use of general users, How to do it? The following small series will introduce you to the method of restricting user su-permission in Linux.

However, in order to further strengthen the security of the system, it is necessary to establish a group administrator, and only allows the user to perform the group & ldquo; su - & rdquo; command log in as root, and Let other groups of users fail to log in as root even if they execute “su -” and enter the correct root password. Under UNIX and Linux, the name of this group is usually “wheel”.

First, prohibit non-whell group users from switching to root

1. Modify /etc/pam.d/su configuration

The code is as follows:

[ Root@db01 ~]# vi /etc/pam.d/su ← Open this configuration file

#auth required /lib/security/$ISA/pam_wheel.so use_uid ← Find this line and remove the line First “#”

2. Modify the /etc/login.defs file

The code is as follows:

[root@db01 ~]# echo “SU_WHEEL_ONLY yes&rdquo ; "" /etc/login.defs ← After adding the statement to the end of the line, you can create a new user, and then use this new user test to find that users who have not joined the wheel group, execute “su - ” Command, even if you enter the correct root password, you can not log in as the root user

3. Add a user woo, test whether you can switch to root

The code is as follows:

[root@db01 ~]# useradd woo

[root@db01 ~]# passwd woo

Changing password for user wo o.

New UNIX password:

BAD PASSWORD: it is WAY too short

Retype new UNIX password:

passwd: all authentication tokens updated successfull

4, through woo user login try to switch to root

Code is as follows:

[woo@db01 ~]$ su - root ← can not switch even if the password is entered correctly

Password:

su: incorrect password

[woo@db01 ~]$

5: Add the root user to the wheel group and try to switch. Switch the

code as follows:

[root@db01 ~]# usermod -G wheel woo ← Add the normal user woo to the administrator group wheel group

[root @db01 ~]# su - woo

[woo@db01 ~]$ su - root ← At this time we can see that it can be switched

Password:

[ Root@db01 ~]#[code]"/p" "p" "strong" Second, add users to the administrator, prohibit ordinary users su to root "/strong" "/p" "p" 6, add users, and join the administrator group, prohibit ordinary users su to root, in order to cooperate with the installation of OpenSSH /OpenSSL to enhance remote management security "/p" "p" [code] [root@db01 ~]# useradd admin

[root@db01 ~]# passwd admin

Changing password for user admin.

New UNIX password:

BAD PASSWORD: it is too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@db01 ~]# usermod -G wheel admin (usermod -G wheel admin or usermod - G10 admin (10 is the ID number of the wheel group))

[root@db01 ~]# su - admin

[admin@db01 ~]$ su - root

Password:

[root@db01 ~]#

Method 1: The wheel group can also be specified as another group. Edit /etc/pam.d/su to add the following two lines

The code is as follows:

[root@db01 ~]# vi /etc/pam.d/su

auth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/pam_wheel.so group=wheel

Method 2: Edit /etc/pam.d/su will remove the following line #symbol

:

[root@db01 ~]# vi /etc/pam.d/su

#RedHat#auth required /lib/security/$ISA/pam_wheel.so use_uid ← OK, remove the beginning of the line “ #& rdquo;

#CentOS5#auth required pam_wheel.so use_uid ← find this line, remove the line at the beginning of “#”

#Save and exit Then ============

The code is as follows:

[root@db01 ~]# echo “SU_WHEEL_ONLY yes” 》” /etc/login.defs ← Add statement to the end of the line

The above is the method of restricting user su-permission in Linux. By creating a wheel user group, you can prevent non-wheel users from using the su-command. Have you learned?