Disable su on machine

Yep, the 'wheel' group trick is also available on linux: you just need to configure pam for it and then, only wheel members can run su.

On Debian, you have to uncomment the wheel line of /etc/pam.d/su

This is definitely the first thing to do on any server, or else, any webserver/ hacked can lead to a root hack.


A weak password for root is foolish, regardless of the controls on 'su'. Even if user 'root' can only login at a console in a restricted machine room, I would not allow user 'root' to have a weak password.

I'd suggest disabling 'su' altogether and using 'sudo' for everything. By disabling, I mean any of:

  • Exploiting any system-specific means of restricting access to 'su' (such as the group 'wheel' trick for BSD, or the Linux equivalent). Note that there is no formal standard for this; POSIX does not mandate the presence of 'su', for example.
  • Remove it (rm -f /bin/su).
  • Remove its execute permission bits (chmod o-x /bin/su or chmod go-x /bin/su).
  • Remove its setuid permission bit (chmod u-s /bin/su).

The residual problem with disabling 'su' by removing it or removing permission bits is that some system scripts may depend on su being present. There isn't a particularly clean solution for that - but they are generally few and far between because 'su' prompts for a password and prompting isn't liked in scripted environments. The other time 'su' is used is when 'root' runs the command to become another user; this is supported by removing the setuid bit (user root can run it, but no-one else can do so usefully). You might reinforce that by removing public and possibly group execute permission too (chmod u-s,go-rwx /bin/su).

If you are not using one of the system-specific means, be very careful; test before putting this into production.


If you system uses PAM then you can disable su properly by putting something similar in /etc/pam.d/su:

# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so

# Disable all other uses of su
auth requisite  pam_deny.so

# [rest of file]