I've noticed that "su" can be run from any user account so long as the user knows the root password. What if I want to limit the ability to "su" to only 1 user account?

For example: Pretend my desktop has 4 different user accounts. Currently each user account could run "su" for root access if the person sitting in front of the screen knows the password.

My questions:

1) Could I somehow make only 1 of the 4 user accounts able to "su" into root mode?

2) If yes, then would doing so have any side-effects?

Thank you.

You want "sudo", which lists who can do what in /etc/sudoers and /etc/sudoers.d. Don't let the manpage scare you, look at the examples towards the end or google for them.

sudo bash (or your preferred shell) works just as well as su.

Not to my knowledge. ROOT = GOD on Unix/Linux systems. Once a user knows the root password, the only way to limit that user is to change the password. You can set the users on your system up to use sudo instead. It's a much better way to allow temp root privileges for certain users.

EDIT: jthill beat me by a minute or two.

In addition to what jthill said I would add that your first problem is that unauthorized people know the root password.

You can remedy this problem as jthill said by using sudo. That way you put the name of the authorized user account into the /etc/sudoers file and that person only needs to know their own password to do whatever they need to do that requires privileges. This way you don't share the root password with anyone and the authorized person cannot tell others the root password.

It's not a fool proof system but it is better than telling one person the root password and then that person shares the password with unauthorized people, if that is what is happening.

To add to what was said above, the sequence is this:
1. install sudo,
2. configure sudo so the user who need root access can get it using sudo
3. Educate the sudo user about the sudo command needed to do the job
4. change the root password to something NO ONE ELSE KNOWS
5. wait for the panic calls from the users who should never have had root access, complaining that it went away.

If you do not change the root password AND keep the new one secret, you will not have solved the problem.

This takes some chops. If you own the machine, this is no problem. If you have a boss, if those who just lost root authority complain to the boss that they can no longer work because of the change he MAY order you to reverse this! You need to have informed him about what you are doing and have his support FIRST in this case. If you have no boss or ARE the boss, get it done yesterday.

Been there, done that, buried the melted phone beside the parking lot in an unmarked grave. (But made the new policy stick, and improved uptime by a 9!)

both is not true. You can configure the su command in a way that only members of the group wheel are permitted to become root via su. Add the option "SU_WHEEL_ONLY yes" to your /etc/login.defs file.

Note that configuring for sudo (which is a very good solution) does not prevent anyone from using su to become root. So consider to do both (restrict su and configure sudo).

Markus

2 members found this post helpful.

Couldn't any user defeat the SU_WHEEL_ONLY option by just logging in as root? In other words, logout of the system completely and then login as:

username: root
pw: <root password>


I still say the root password makes anyone GOD on a Linux system. Am I wrong?

In principle, one could disable ssh root logins and lock the machine up somewhere (no console access) and turn off all other remote login services so that people could only login via ssh. Then people could not login directly as root (at least not in any way I could think of -- /bin/login appears to require root privs already to work). Still, the point remains that untrusted users having the root password is a very bad thing. Still, a good reason to disable su is so that even trusted users have to use sudo, which provides much more fine grained access control.

Since the real problem is that other users know the root password, the first step should be to change the root password.
You can configure sudo to use the users password instead of the target password (root's password) to allow trusted regular users to run some root commands but not learn the root password.

If you don't lock down the sudo configuration, users can get around it by running "sudo /bin/bash" or a shell escape in vim, but the first command would be logged, and they would have to remember to edit the log.

If the regular users only need to do things like mount external drives, and eject media, instead of giving them sudo access, consider using PolicyKit instead.
Look at the "polkit-auth" command or the KDE/Gnome policy editors.

Why did you tell the other users the root password, then? That's the whole point of a password: if you know it, you can get in.

Change the password and tell it only to the people who you want to be able to log in as root.

Isn't it easier to set permissions?
To be honest yes wrong..GOD is person who has physical access to computer not root password knowing..

Hmmm - so based upon these replies - it might be possible to limit "su" to just one user, but would everyone agree that adopting the "sudo" instead of "su" approach be easier?

If you mean configuring sudo instead of giving the root-password to other persons, then the sudo approach is better.

Markus

Yes, that is what I meant. Thank you all for your help. I will see if I can mark this "solved".