By default, every Linux user can switch to other users by entering ‘su’ command. This is required in case non-privileged users need to run commands and programs that require administrative privileges or permissions. This is also used if a user simply needs to run commands as another user. On the other hand, this can be a security problem, in case unauthorized users switch to root login and run commands they are not authorized to run under normal circumstances. So it is advisable to disable su access to unauthorized users on your system. In this article, we will learn how to disable su access to sudo users in Linux. You can use these steps on all Ubuntu/Debian systems.
How to Disable su Access to Sudo in Linux
Typically, sudo users switch to root account using the following command.
$ sudo su
This command allows sudo users, that is, users with privileges, to switch to superuser root account, by simply using their original account’s password. This allows users or a group of users to obtain more privileges than they are supposed to.
Since we are using sudo command to run su command, Linux will look for the user account which is running this command, in /etc/sudoers or /etc/sudoers.d locations. If a match is found, that user is granted privileges to run commands as root user, as per the rules applicable for this user. Otherwise, this command is rejected and the instance is logged.
Sudo command works by looking for a match in /etc/sudoers or /etc/sudoers.d files for the user who runs sudo command. The first matching rule decides the outcome. So the order of rules in these files matters a lot.
So we will modify this file to make sure that regular sudo users are not able to obtain root access using ‘sudo su’ command.
Log into Linux as root user.
Open terminal and run the following command to backup your /etc/sudoers file.
# cp -p /etc/sudoers /etc/sudoers.ORIG
Open /etc/sudoers file in text editor.
# visudo -f /etc/sudoers
This file contains many rules, some are meant for all users while some are meant for specific users or user groups. Look for the following line for the user whom you want to deny this command. For our example, we will modify privileges of sudo user test_user. So the rule would begin with the username test_user.
##Allow test_user user to run any command test_user ALL=(ALL) ALL
Change it to the following.
##Limit the test_user user to run any command except for sudo su to root test_user ALL = ALL, !/bin/su
Save and close the file.
Please repeat the above steps for other users in your account. Now when you log in as test_user and run ‘sudo su’ command, you will get the following error.
$ sudo su - [sudo] password for test_user: Sorry, user test_user is not allowed to execute '/bin/su -' as root on testvm01.
In this article, we will learn how to disable su access to sudo user group. You can use these steps on all Debian/Ubuntu distributions to prevent sudo users and user groups from using sudo su command to switch to root users.
Also read:
How to Install Printer in Ubuntu Via Terminal
How to Unlock User Account in MySQL
How to Lock User Account in MySQL
How to Create Cartesian Product of Python Lists
How to Disable Triggers in PostgreSQL
Related posts:
Sreeram has more than 10 years of experience in web development, Python, Linux, SQL and database programming.