When hardening Linux system security, many administrators want to maintain a simple root password while strictly controlling who can elevate privileges. The common sudo approach (via /etc/sudoers) doesn't directly apply to su, but we can achieve similar control through PAM (Pluggable Authentication Modules) configuration.
The most reliable method involves modifying the PAM configuration for su:
- Create a dedicated group for users permitted to use su:
sudo groupadd suaccess - Add authorized users to this group:
sudo usermod -aG suaccess username
Edit the PAM configuration file (/etc/pam.d/su) and add these lines near the top:
# Require membership in suaccess group auth required pam_succeed_if.so user ingroup suaccess
Here's a full example of what your /etc/pam.d/su might look like:
#%PAM-1.0 auth sufficient pam_rootok.so auth required pam_succeed_if.so user ingroup suaccess auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth
Many Linux distributions historically used the wheel group for this purpose. To enable:
# Uncomment this line in /etc/pam.d/su: auth required pam_wheel.so use_uid
Then add users to the wheel group:
sudo usermod -aG wheel username
For your stated security model, first disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
Then configure sudo for your privileged users in /etc/sudoers:
%suaccess ALL=(ALL) ALL
After implementation, test with both authorized and unauthorized users:
# As unauthorized user su - # Should fail with "Authentication failure" # As authorized user su - # Should prompt for password
Remember these additional hardening measures:
- Set strong passwords for accounts in the privileged group
- Regularly audit group membership
- Consider combining with SELinux/AppArmor
- Monitor auth logs (
/var/log/auth.logor/var/log/secure)
If users get locked out:
- Boot into single-user/recovery mode
- Mount filesystem read-write if needed
- Either modify PAM config or add user to required group
When hardening Linux systems, administrators often need to restrict su access while maintaining a simple root password for emergency access. The conventional wisdom of "just use sudo" doesn't always fit all scenarios, especially in:
- Legacy systems where
suis deeply integrated - Environments requiring direct root shell access
- Systems with specific compliance requirements
The Pluggable Authentication Modules (PAM) system provides granular control over su access. Here's how to implement user-based restrictions:
# Edit the su PAM configuration
sudo nano /etc/pam.d/su
Add this line to restrict access to specific groups:
auth required pam_wheel.so use_uid group=suusers
First, create a dedicated group for users who should have su privileges:
sudo groupadd suusers
sudo usermod -aG suusers privileged_user1
sudo usermod -aG suusers privileged_user2
Then modify the /etc/login.defs file:
SU_WHEEL_ONLY yes
For more granular control, use pam_listfile.so:
auth required pam_listfile.so \
onerr=fail item=user sense=allow file=/etc/su_access
Create the access control file:
sudo touch /etc/su_access
sudo chmod 600 /etc/su_access
echo "privileged_user1" | sudo tee -a /etc/su_access
echo "privileged_user2" | sudo tee -a /etc/su_access
Verify your setup by attempting to su from both authorized and unauthorized accounts:
su - privileged_user1 # Should work
su - regular_user # Should fail
- Always maintain backups of PAM configuration files
- Combine with SSH key-based authentication for privileged users
- Consider adding fail2ban protection for repeated su attempts
- Regularly audit the su_access file or group membership
If you get locked out:
- Boot into single-user/recovery mode
- Mount the filesystem as read-write
- Revert changes or add your user to the allowed group
# Recovery example
mount -o remount,rw /
usermod -aG suusers your_username