Reverse a command and disable su on Ubuntu

Question

Whilst following an online guide on how to secure Ubuntu server, I ran this command on one of my test VM's.

sudo dpkg-statoverride --update --add root admin 4750 /bin/su

I know the intention of the command was to limit the use of su to specific users.
What I didn't realise is that su is already disabled by default on Ubuntu.

Could someone tell me how to reverse it on Ubuntu 12.04?

I have already tried:

sudo dpkg-statoverride --remove /bin/su

If it's disabled by default, and it's still disabled, then what's the problem? That command will have changed permissions on `/bin/su` to setuid root, admin group read/execute. That doesn't do much harm. If you want top open it up, `chmod g+rx /bin/su` will do that. If you want to lock it down, `chmod 0 /bin/su` will do that. — Sobrique, May 29 '14 at 15:30

flaz14 · Answer 1 · 2017-03-14T09:42:02.480

1

I've got satisfied with the following approach to disable su (tested in Lubuntu 14.10).

Open file /etc/pam.d/su. Then uncomment line:

# auth       required   pam_wheel.so

After this nobody (except users which are in root group) can use su. But it is still possible to start root session using sudo su.

edited Mar 14 '17 at 09:42

answered Apr 26 '15 at 12:21

flaz14

121
3

Reverse a command and disable su on Ubuntu

1 Answers1