Disable SU access for sudo users

Some times you need to disable sudo su – access on your environment so that the users will use sudo command always and they will not switch to any other users account unnecessarily

Lets see how to do it

  • Edit the /etc/suoders by running visudo
    visudo
  • Add the below Command Alias
    Cmnd_Alias BLOCKSU = /bin/su
  • If you want to block SU for only a particular user, you can use the below entry.
    user1 ALL=(ALL) NOPASSWD: ALL, !BLOCKSU
  • If you want to block it for all the users via a group like wheel, Then the below entry change will do the job
    %wheel ALL=(ALL) ALL

    to

    %wheel ALL=(ALL) ALL, !BLOCKSU

    Update: This is not a bulletproof solution, You can find ways to bypass this in the comment section.

0 0 votes
Article Rating
Subscribe
Notify of
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
yyagol
yyagol
4 years ago

bypass very easy ,
As regular user run

cp /bin/su /bin/mysu
chmod +x /bin/mysu
sudo mysu –

Christian B
Christian B
4 years ago

Bypassed with a simple “sudo sudo su”

Ales
Ales
4 years ago

bypass if you use sudo -i

4
0
Would love your thoughts, please comment.x
()
x
Scroll to Top