Linux: Restrict su to Group

Objective: Restrict the use of su by limiting access to a certain group of users.

To restrict only members of the wheel group to use the su command, add the following entry to /etc/pam.d/su file.

auth       required   pam_wheel.so    group=wheel

You will have to make sure that the above entry is appended below the rule using pam_rootok PAM module.

auth       sufficient pam_rootok.so
auth       required   pam_wheel.so    group=wheel

pam_rootok is a PAM module that authenticates the user if the UID is 0 (root).

If the wheel group does not exist on the system, pam_wheel will use the group with group id 0 which is usually the root group. On Ubuntu systems, wheel group is not created by default. To add the wheel to a system, user groupadd.

# groupadd wheel

To add a user to the wheel group, use the usermod command.

# usermod -G wheel ibrahim

If possible, use sudo instead of su as it provides better control and security.

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, perl, php, python, java, javascript, nodejs, angular, react); plays_on(xbox, ps4); linux_desktop_user(true); }