5.14. Blocking; su to root, by one and sundry

Edit the su file vi /etc/pam.d/su and add the following two lines to the top of the file:

auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=wheel

After adding the two lines above, the /etc/pam.d/su file should look like this:

#%PAM-1.0 auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=wheel auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow use_authtok nullok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_xauth.so

Which mean only those who are a member of the wheel group can su to root; it also includes logging. Note that the wheel group is a special account on your system that can be used for this purpose. You cannot use any group name you want to make this hack. This hack combined with specifying which TTY devices root is allowed to login on will improve your security a lot on the system.

Now that we have defined the wheel group in our /etc/pam.d/su file configuration, it is time to add some users allowed to su to root account. If you want to make, for example, the user admin a member of the wheel group, and thus be able to su to root, use the following command:

[root@deep] /# usermod -G10 admin

• Which means G is a list of supplementary groups,

• Where the user is also a member of, 10 is the numeric value of the user's ID wheel,

• admin is the user we want to add to wheel group.