How to limit access to the su command in Linux

Jack Wallen shows you a simple trick to heighten your Linux server security, by limiting Linux users' access to the su command.

How to limit access to the su command in Linux

If you've added Linux to your data center, or you're simply employing a single Linux machine for your business, you need to make sure it is as secure as possible. Of course, everyone assumes Linux is one of the most secure platforms on the planet. While that may be true, you can do many things to further improve the security of your Linux installation.

One trick is to limit access to the su command. By using the su command, users can change from one user to another (if they have the other user's password). Why is this important? You might have certain users in an admin group who have full access to certain directories (some of which might contain sensitive data) and don't want users not in the group to be able to switch to a user (by using the su command), and then gaining access to that information.

This trick can be done on any Linux distribution, but I'm going to demonstrate on the Ubuntu Server platform. We will create a new group, add users to that group, and then restrict access to the su command to that group.

SEE: IT staff systems/data access policy (Tech Pro Research)

But how do we limit the access to the su command? It's actually quite easy. Let me show you.

Creating the group

We will first create a new group on our server (or desktop). To do this, open a terminal window and issue the command:

sudo groupadd admin

You now have a new group added to the system. If you find that the admin group already exists, you might have to create a group with a different name.

Adding users to the new group

Let's say we have user jack, and we want to add him to the new group so that he has access to the su command. The command for this would be:

sudo usermod -a -G admin jack

Once you run that command, user jack will be a member of the admin group.

Restricting su access

Now we need to allow those in the admin group access to the su command. This can be done with a single command. Back at your terminal window, issue the following:

sudo dpkg-statoverride --update --add root admin 4750 /bin/su

Give it a whirl

From the terminal window login as user jack. If you attempt to use the su command as that user, it will be allowed. Why? Because jack is a member of the admin group, which has access to su. However, if you log in as another user and attempt to use the su command, it will be denied (Figure A). Why? Because only those in the admin group have access to su.

Figure A

Figure A

User yoyo has been denied access to the su command.

And that is all there is to limiting access to the su command in Linux. Although this isn't the only step you need to take in order to harden your Linux installations, it will certainly prevent users from accessing a tool that could elevate their permissions to levels they shouldn't have.

Also see

Image: Jack Wallen