Linux – Debian disable su to root user

debianlinuxpamSecuritysu

I am currently using Debian 7 (Wheezy) and I am trying to disable the su command only when the target user is root and not a privileged user.

For example, let's suppose the following users exist: root, public, privileged.

root would of course be able to su, without restrictions.

public should be able to su to privileged but not to root.

privileged should be able to su to root (or any user).

So far I have only been able to disable su to anyone but root and privileged, appending to /etc/pam.d/su the following line:

auth required pam_wheel.so 1005

Assuming 1005 is privileged uid.

However, this makes public unable to use su.

How could I make it?

Thank you!

Best Answer

auth sufficient pam_rootok.so
auth sufficient pam_succeed_if.so use_uid user = privileged
auth requisite  pam_succeed_if.so uid > 0
auth requisite  pam_unix.so

You could do this with sudo in an easier way:

privileged    ALL=(ALL:ALL) ALL
public        ALL=(privileged) ALL

Related Solutions

Linux – Debian – allow user to be root only for specific commands

Add to your /etc/sudoers file the following line:

user ALL=(root) NOPASSWD: /bin/mount,/bin/umount

where user is your non-root user and /bin/mount,/bin/umount is the list of commands you want to execute as root.

Now the non-root user can use the sudo command to run /bin/mount and /bin/umount with root privileges.

Linux – ‘user is not in the sudoers file’ but actually is

I pulled down the source code for sudo and it appears that the way this could happen is if your sudo is configured to use LDAP or SSSD methods to determine permissions. If either of those is available, it will be checked before the file method. This probably only makes sense if this machine was set up for you in a corporate environment or something? In these cases, the error message is a bit inaccurate as it still refers to the sudoers "file".

I've never used either of those for this but it appears they would be configured in an /etc/sudo.conf file, so you could see if you have such a thing. Looking at man sudo it mentions an LDAP plugin and man sudo.conf gives info about plugins are configured FWIW.

Best Answer

Related Solutions

Linux – Debian – allow user to be root only for specific commands

Linux – ‘user is not in the sudoers file’ but actually is

Related Question