0

How can I restrict users switching by su command?

Suppose there are 3 users (root,user1 and user2) only root and user1 can switch by using su command. root or user1 should not be able to switch to user2 by using su command.

root@instance# su - user1 *ok* 

user1@instance$ sudo su -   *ok*  

root@instance# su - user2 *should be blocked* 

user1@instance$ sudo su - user2   *should be blocked*

How can I do this?

OS is RHEL 7

Arden Smith
  • 432
  • 2
  • 8
Prabath Lasantha
  • 1
  • 4
    You can't prevent root to do anything. Other users require the password, so don't give them the password. – Michael Hampton Mar 15 '21 at 01:30
  • Can't you give them [sudo access](https://www.howtogeek.com/111479/htg-explains-whats-the-difference-between-sudo-su/) to a restricted set of options? [Where su is not one]. – Mr R Mar 15 '21 at 07:36

1 Answers1

2

As you know, root user is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user).

The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to ports numbered below 1024. The etymology of the term may be that root is the only user account with permission to modify the root directory of a Unix system. This includes su command to switch to another user.

For that reason, you can't restrict the use of the sucommand to root user.

Now talking about user1 you can restrict the use of the su command removing the user from the wheel group due to any user on that group heritage the root level privileges.

Have fun!

Arden Smith
  • 432
  • 2
  • 8