1

I'm on RHEL 6.8

I have a user "myuser" with sudoer rights and other users with no sudoers rights.

Can I only allow root to do a "su myuser" in local ?

Thank you

Matthew
  • 148
  • 1
  • 7
  • No, you can't. root can do whatever he wants. – Gerald Schneider Jan 24 '18 at 12:46
  • Hello Actually it is not my problem. There is no problem to let root become "myuser", but I don't want other users to become "myuser". – Matthew Jan 24 '18 at 13:38
  • Well, that's not what you are asking in the question. Anyway, the only way for "otheruser" to su to "myuser" is by knowing the password of "myuser". In that case the user can just log in as "myuser". What are you trying to accomplish? – Gerald Schneider Jan 24 '18 at 13:53

1 Answers1

2

Well, once you allow a user to become root, short of using SELinux there's no way to restrict them. Which is why you shouldn't hand out root permissions willy-nilly.

I'd recommend moving away from su to sudo.

That being said, you could cook up something with gpasswd and pam_wheel.so, but at best it might break scripts and at worst it's a security risk:

Use pam_wheel in /etc/pam.d/su.

Quoting man pam_wheel:

NAME
       pam_wheel - Only permit root access to members of group wheel

SYNOPSIS
       pam_wheel.so [debug] [deny] [group=name] [root_only] [trust] [use_uid]
[...]
group=name
       Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication.

References:

https://askubuntu.com/questions/601682/restrict-su-to-a-group-of-users

fuero
  • 9,591
  • 1
  • 35
  • 40
  • Hello, thank you for your answer. Actually your link and your exemple are short but obvious, I've been able to understand now. Thank you :) – Matthew Jan 24 '18 at 13:50