# -+- number -+- category -+- title -+- email -+- name -+- homepage -+- clickOnName -+- language -+- image -+- browser-used -+- security-cookie
=0 -+- 2000-11-16:2 -+- System Administration -+- Blocking anyone to su to root -+- yenigul@cslab.itu.edu.tr -+- Ismail YENIGUL -+- http://apache.cslab.itu.edu.tr -+- nolink -+- English -+-  -+- Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; sureseeker.com) -+- 403
The su (Substitute User) command allows you to become other existing <br> users on the system. For example you can temporarily  <br> become "root" and execute commands as the super-user "root". If <br>
you don't want anyone to su to root or restrict "su" command to <br>certain users then add the following two lines to the top of <br>your "su" configuration file in the "/etc/pam.d/" directory.<br>

1- Edit the su file (vi /etc/pam.d/su) and add the following two <br> lines to the top of the file:
<pre>
auth sufficient /lib/security/pam_rootok.so debug <br>
auth required /lib/security/pam_wheel.so group=wheel <br>
</pre>
After adding the two lines above, the "/etc/pam.d/su" file should <br>look like this: <br>
<i>
#%PAM-1.0 <br>
<b>auth sufficient /lib/security/pam_rootok.so debug <br>
auth required /lib/security/pam_wheel.so group=wheel </b><br> 
auth required /lib/security/pam_pwdb.so shadow nullok <br>
account required /lib/security/pam_pwdb.so <br>
password required /lib/security/pam_cracklib.so <br>
password required /lib/security/pam_pwdb.so shadow use_authtok nullok <br>
session required /lib/security/pam_pwdb.so <br>
session optional /lib/security/pam_xauth.so <br>
</i>
Which means only those who are a member of the "wheel" group can su to root;<br>
and to add a user to wheel group use: 
<pre>
root# usermod -G10 username<br>
</pre>
Ok, now everybody can not be root using su. When an user that is not  in wheel group runs su command ,he/she can not be root even if  he/she writes correct root password. <br>