2

I can control which users can run su or gksu by, for example, including the line auth required pam_wheel.so deny group=nosu in /etc/pam.d – then members of group nosu won’t be able to use su or gksu --su-mode.

However, this won’t stop anyone from using pkexec (and it is futile to prohibit the use of su without prohibiting the use of pkexec, since apparently pkexec offers same functionality…). Is there any similar way to control who may and who may not use pkexec?

gaazkam
  • 1,400
  • 3
  • 10
  • 17

1 Answers1

3

You could remove all permissions for the group, nosu, using an ACL.

setfacl -m g:nosu:--- /usr/bin/pkexec

After setting the ACL, users who are not members of the nosu group still use pkexec normally.

Christopher
  • 15,611
  • 7
  • 51
  • 64
  • Outta curiosity, I wonder if there is any configuration option of pkexec, PolicyKit that would disable it in a way similar to that line in pam.d though… – gaazkam Jan 10 '17 at 08:07