How do you disable su?

sudo su pam

I'm confused about su a bit. I just want to prevent users from using su across the board. Authorized users will have sudo access so they can be root if desired. We just want to completely disable su in any case.

This source has you uncomment and replace auth required pam_wheel.so with auth required pam_wheel.so use_uid from /etc/pam.d/su https://securitronlinux.com/bejiitaswrath/how-to-disable-the-su-to-root-in-linux-using-pam/ but the page says

This will require a user to login as root at a terminal to be able to use a root prompt.

so I'm concerned it will prevent users from using sudo -s

Also, we don't want users to be able to escape to root and then su into each other's accounts. I see in /etc/pam.d/su

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

Is it safe for me to comment this line? Will that finish achieving my objective without locking us all out?


Solution 1:

In Ubuntu is used security model:

  1. You cannot login as root - account has a password blocked.
  2. Users can gain root permissions only via sudo. To do it they must be in sudo or admin group or direct in sudo config files.

So if you want that users can't use su, remove them from sudo and admin groups. If they can do some admin tasks, then better add them to the group myadmins and configure permissions of group myadmins in sudoers config file.

Related

How to get the network interface through which traffic is routed
Software updater 16.04 not responding for a upgrade to 18.04 [duplicate]
how can i download ubuntu's kernel?
ubuntu 20.04 notify-updates-outdated not found
Application in the Dock can't be added to favourites
Install Code::Blocks 12.11 on Ubuntu
Making Canon LBP6000 printer work under Ubuntu 14.04 64-bit
append a word to the end of a line in txt file
Change default terminal back to Bash in VS Code
Installing Avogadro 1.2.0 From Source Ubuntu 20.04
How to safely change username and hostname?
Cannot use snap to install