Home / ubuntu / Questions / 601682
In Process
Manish Kapoor
Asked: 2015-03-27 10:13:28 +0800 CST

Restrict su to a group of users

  • 772

Is there someway to restrict su to a specific group of users?

Upon searching over the web, I came across IBM AIX's concept of sugroup. Whenever a user is created, attribute sugroup can be set; and only members of this group are allowed to su to that user.

sugroup can help me solve my problem by creating a group which contains only certain users allowed to su. Assigning sugroup means users outside this group are not permitted to be su-ed to by other users. But this concept of sugroup is not available in Ubuntu. How can it be achieved in Ubuntu?

I made following entry in /etc/pam.d/su:

auth required pam_wheel.so group=sulogin

I created following:

  • a group called sulogin which is for users allowed to su
  • users who don't belong to sulogin are user1 and user2
  • users who do belong to sulogin are admin1 and admin2

Now when I am logged in as user1 and try to su to admin1 or admin2, I am not permitted to do so. This is as per my requirement. When I am logged in as user1 and try to su to user2, I am not permitted to do this. This is not as per my requirement (although my requirements were not clearly mentioned in the original question).

I need to restrict all the users who are not in group sulogin from su-ing to any user who belongs to sulogin group. Basically, 2 levels of su privilege. So in the above mentioned scenario:

  • user1 should be able to su to user2 and vice-versa
  • user1 or user2 should not be able to su to admin1 or admin2
  • admin1 should be able to su to user1 or user2
su

1 Answers

  1. The equivalent is possible on Ubuntu, it's just not enabled by default. Check out /etc/pam.d/su:

    # Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

    So, uncomment this auth line, then su will be restricted to members of group root. Or uncomment and add group=sulogin, if you want to restrict to the sulogin group.

    • 6