Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the realization method of prohibiting non-WHEEL users from using SU life under the Linux system". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

In general, the average user can log in as a root user to configure the system at the administrator level by executing the "su -" command and entering the correct root password.

However, in order to further strengthen the security of the system, it is necessary to establish a group of administrators, which only allows users of this group to log in as root users by executing the "su -" command, while users of other groups cannot log in as root users even if they execute "su -" and enter the correct root password. Under UNIX and Linux, the name of this group is usually "wheel".

1. Prohibit non-whell group users from switching to root

1. Modify / etc/pam.d/su configuration

The code is as follows:

[root@db01 ~] # vi / etc/pam.d/su ← opens this configuration file

# auth required / lib/security/$ISA/pam_wheel.so use_uid ← find this line and remove the "#" at the beginning of the line

2. Modify / etc/login.defs file

The code is as follows:

[root@db01 ~] # echo "SU_WHEEL_ONLY yes" > > / etc/login.defs ← add statement to the end of the line after the operation is completed, you can create a new user, and then use this new user test to find that users who have not joined the wheel group execute the "su -" command and cannot log in as a root user even if they enter the correct root password

3. Add a user woo to test whether you can switch to root.

The code is as follows:

[root@db01 ~] # useradd woo

[root@db01 ~] # passwd woo

Changing password for user woo.

New UNIX password:

BAD PASSWORD: it is WAY too short

Retype new UNIX password:

Passwd: all authentication tokens updated successfull

4. Try to switch to root by logging in to woo user

The code is as follows:

[woo@db01 ~] $su-root ← cannot be switched even if the password is entered correctly

Password:

Su: incorrect password

[woo@db01 ~] $

5: add root users to the wheel group and then try to switch. You can switch.

The code is as follows:

[root@db01 ~] # usermod-G wheel woo ← adds ordinary user woo to administrator group wheel group

[root@db01 ~] # su-woo

[woo@db01] $su-root ← at this time we can see that it can be switched.

Password:

[root@db01] # [code]

Add users to the administrator and prohibit ordinary users from su to root

6. Add users and join the administrator group to prohibit ordinary users from su to root, in order to cooperate with later installation of OpenSSH/OpenSSL to improve remote management security

[code] [root@db01 ~] # useradd admin

[root@db01 ~] # passwd admin

Changing password for user admin.

New UNIX password:

BAD PASSWORD: it is too short

Retype new UNIX password:

Passwd: all authentication tokens updated successfully.

[root@db01 ~] # usermod-G wheel admin (usermod-G wheel admin or usermod-G10 admin (10 is the ID number of the wheel group)

[root@db01 ~] # su-admin

[admin@db01 ~] $su-root

Password:

[root@db01 ~] #

Method 1: wheel group can also be specified as another group, edit / etc/pam.d/su to add the following two lines

The code is as follows:

[root@db01 ~] # vi / etc/pam.d/su

Auth sufficient / lib/security/pam_rootok.so debug

Auth required / lib/security/pam_wheel.so group=wheel

Method 2: edit / etc/pam.d/su to remove the # symbol such as the following line

The code is as follows:

[root@db01 ~] # vi / etc/pam.d/su

# RedHat#auth required / lib/security/$ISA/pam_wheel.so use_uid ← find this line and remove the "#" at the beginning of the line

# CentOS5#auth required pam_wheel.so use_uid ← finds this line and removes the "#" at the beginning of the line

# Save and exit =

The code is as follows:

[root@db01 ~] # echo "SU_WHEEL_ONLY yes" > > / etc/login.defs ← add statement to the end of the line

This is the end of the content of "the implementation of prohibiting non-WHEEL users from using SU life under the Linux system". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.