13

I have disabled the root user login from Sshd.conf file so now no one can login using root user even if they know the password SOMEHOW.

Now I have 3 users in server ROOT,EMERG and ORACLE. I want to allow switching to ROOT only to EMERG user by using su - and not to ORACLE user.

because normally if users know the ROOT password they can switch to root using su -. And i want this feature available only to EMERG user.

How to do this

Thanks in advance......

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
OmiPenguin
  • 4,168
  • 34
  • 79
  • 111
  • 11
    Have a look at `sudo` it allows much better and finer grained access control. Plus it can authenticate users with **their** passwords. – peterph Jan 22 '13 at 10:16
  • 1
    If my anser works for you, you may want to mark it as correct. – Bananguin May 17 '13 at 07:00

1 Answers1

16

su (mostly) uses pam for authentication and pam has a module called pam_wheel which checks group membership of the authenticating user. In short, by adding 

auth       required   pam_wheel.so group=becomeroot

to the file /etc/pam.d/su, only users who are members of the group becomeroot may become root using su. Now you make sure only your user EMERG is a member of the group becomeroot. Some distros have/use the group named wheel for that.

groupadd becomeroot         #add the group becomeroot to your system
gpasswd -a EMERG becomeroot # add the user EMERG to the group becomeroot

Further reading: pam (7) pam_wheel (8) groupadd (8) gpasswd (1) and many distros have explaining comments in /etc/pam.d/su as well

Bananguin
  • 7,796
  • 2
  • 25
  • 57