4

I'm confused about su a bit. I just want to prevent users from using su across the board. Authorized users will have sudo access so they can be root if desired. We just want to completely disable su in any case.

This source has you uncomment and replace auth required pam_wheel.so with auth required pam_wheel.so use_uid from /etc/pam.d/su https://securitronlinux.com/bejiitaswrath/how-to-disable-the-su-to-root-in-linux-using-pam/ but the page says

This will require a user to login as root at a terminal to be able to use a root prompt.

so I'm concerned it will prevent users from using sudo -s

Also, we don't want users to be able to escape to root and then su into each other's accounts. I see in /etc/pam.d/su

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

Is it safe for me to comment this line? Will that finish achieving my objective without locking us all out?

bluesquare
  • 169
  • 1
  • 6
  • 1
    1) Ubuntu does not have a root account so you cannot log in as root; 2) Any user with sudo privileges can do anything they want, including read/write/execute to other user's accounts – Nmath Nov 30 '21 at 19:29
  • 1
    I don't understand why you worry about `su`. If someone uses `su` he will need to enter the password of the user he want to swich to, if he don't know this password he will not be able to swich to that user. – mook765 Nov 30 '21 at 19:41
  • @Nmath There's no root account? How should I call this? root@MRHOSTMAN:~# id uid=0(root) gid=0(root) groups=0(root) – bluesquare Nov 30 '21 at 21:37
  • @mook765 Hi there was no password required to do this: root@MRHOSTMAN:~# su otherguy otherguy@MRHOSTMAN:/home/firstguy$ – bluesquare Nov 30 '21 at 21:39
  • Only when you are root you can do it, not when you are an ordinary user. – mook765 Nov 30 '21 at 22:11

2 Answers2

2

Thanks to @pasmanpasmański and all the commenters and question answerers who really enhanced my understanding of Ubuntu.

To disable su on Ubuntu (and some redhat distros too actually), do exactly this:

Edit /etc/pam.d/su

Comment out auth required pam_wheel.so and add auth required pam_wheel.so use_uid below.

and comment out auth sufficient pam_rootok.so

(as per securitronlinux.com)

Then you can expect: No one, including root can su!

bluesquare
  • 169
  • 1
  • 6
  • Tried this one, indeed prompts for password of the account being logged into. This, however, might have a downside for copy-pasters like myself that it keeps one from logging in as root if root does not have a valid password (sudo is of no use here, as root is being kept from logging in as anyone by the line containing `pam_rootok.so` being commented out). Just a warning beforehand. This can be changed later on via simply `sudo passwd root`. or better `sudo vim /etc/pam.d/su`. – cbugk Oct 27 '22 at 14:45
1

In Ubuntu is used security model:

  1. You cannot login as root - account has a password blocked.
  2. Users can gain root permissions only via sudo. To do it they must be in sudo or admin group or direct in sudo config files.

So if you want that users can't use su, remove them from sudo and admin groups. If they can do some admin tasks, then better add them to the group myadmins and configure permissions of group myadmins in sudoers config file.

pasman pasmański
  • 1,757
  • 1
  • 6
  • 20
  • 1
    This doesn't disable the use of `su` command - that command will still work, but unless they know the password for other users it won't help them. Just for cklarification because `sudo` or `admin` group removal won't stop `su` from still doing its functions - they just can't login to any account if there's locked PWs or if they don't know the PWs for the accounts they're attempting – Thomas Ward Nov 30 '21 at 20:02
  • `Su` is not disabled , because you may run commands working similar: `sudo sh` , `sudo bash` etc. Users in `sudo` group can anything, including repairing locked accounts. Users in 'myadmin` group may have strictly defined permissions. Other users have standard permissions. – pasman pasmański Nov 30 '21 at 20:14
  • 1
    Except you're now talking about two completely different things. OP is asking how to **disable `su`**, not disable sudo/admin login. Even if someone doesn't have sudo perms, they can still use `su` to login to other users on system. – Thomas Ward Nov 30 '21 at 20:22
  • 1
    Disabling `su` has no sense. If some user can use `su otheruser` because he knows password of otheruser, then he may logout and log in as otheruser. – pasman pasmański Nov 30 '21 at 20:32
  • @pasmanpasmański Im confused. I can log in as root... sudo -s and then Im root. How do you mean you cant log in as root? Also, I can currently su root and I thought I logged in as root (uid =0) – bluesquare Nov 30 '21 at 22:55
  • Please review: https://askubuntu.com/q/687249 – Nmath Nov 30 '21 at 22:59
  • Based on the wording of the question and the comments, it seems that OP is conflating `su` with `sudo` or root login or perhaps `sudo su` - If OP is actually wanting to only disable the use of `su`, I agree that it would be useless- 1) because you need a user's password to use it, and 2) if you have the users password you can just log in as that user anyway, rendering the `su` disablement completely ineffective – Nmath Nov 30 '21 at 23:10
  • @Lojitech `sudo -s` works , because you are in `sudo` group. if you create a new user, he can't do `sudo -s` – pasman pasmański Dec 01 '21 at 06:00
  • @pasmanpasmański OK but as I said, authorized users will have sudo access. So I was hoping to find out if I can disable su the way I mentioned in my post, safely – bluesquare Dec 01 '21 at 14:16