su command is a special command that allows a user to run commands as another user and group. It also allows you to switch to the root account or another designated user account.
To switch to another user account, users can run the su command from their current login session, as shown below Users can switch users via su:
[bob@localhost ~]$ su - user01 Password:
By default, all users can use the su command. We can disable the su command in /etc/sudoers.
To switch to the root account, the user must have a root password. In this example, the user is switching to the root account.
[user01@localhost ~]$ su - Password:
Disable su access rights for ordinary users. First, back up the original files of the following /etc/sudoers as follows:
[bob@localhost ~]$ sudo cp -p /etc/sudoers /etc/sudoers.back [sudo] password for bob:
Use the visudo command to open the sudoers configuration file
[bob@localhost ~]$ sudo visudo
Add the following lines below the ## Command Aliases section:
Cmnd_Alias DISABLE_SU = /usr/bin/su
Then add the following line at the end of the file, replacing username bob with the user you need to disable su access:
bob ALL=(ALL) NOPASSWD: ALL, !DISABLE_SU
Save and exit
Use bob user to verify. The system should return the following error message “Sorry, user bob is not allowed to execute ‘/bin/su – user01’ as root on localhost.localdomain.”
[bob@localhost ~]$ sudo su - user01 Sorry, user bob is not allowed to execute '/bin/su - user01' as root on localhost.localdomain.
You can also disable the su access rights of the user group. For example, to disable su access for all users in the group wheel, you can execute the following command:
[bob@localhost ~]$ sudo visudo %wheel ALL=(ALL) ALL, !DISABLE_SU
Save and exit~
The above is the detailed content of Teach you how to prohibit ordinary users from using the su command in Linux. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
