How to Disable ‘su’ Access for Sudo Users

The su command is a special Linux command that allows you to run a command as another user and group. It also allows you to switch to the root account (if run without any arguments) or another specified user account.

All users by default are allowed to access the su command. But as a system administrator, you can disable su access for a user or group of users, using the sudoers file as explained below.

The sudoers file drives the sudo security policy plugin which determines a user’s sudo privileges. The sudo command allows users to run programs with the security privileges of another user (by default, as the root user).

To switch to another user account, a user can run the su command from their current login session as shown. In this example, the user aaronk is switching to a testuser account. The user aaronk will be prompted to enter the password for the testuser account:

$ su testuser
Switch to Different User
Switch to Different User

To switch to the root account, a user must have the root password or have privileges to invoke the sudo command. In other words, the user must exist in the sudoers file. In this example, the user aaronk (a sudo user) is switching to the root account.

After invoking sudo, the user aaronk is prompted to enter his or her password, if it’s valid, the user is granted access to an interactive shell as root:

$ sudo su
Switch to Root User
Switch to Root User

Disable su Access for a Sudo User

To disable su access for a sudo user for example the aaronk user above, first, back up the original sudoers file located at /etc/sudoers as follows:

$ sudo cp /etc/sudoers /etc/sudoers.bak

Then open the sudoers file using the following command. Note that it’s not recommended to edit the sudoers file by hand, always use the visudo command:

 
$ sudo visudo

Under the section of command aliases, create the following alias:

Cmnd_Alias DISABLE_SU = /bin/su

Then add the following line at the end of the file, replace the username aaronk with the user you wish to disable su access for:

aaronk ALL=(ALL) NOPASSWD: ALL, !DISABLE_SU

Save the file and close it.

Then test to verify that setup is working as follows. The system should return an error message like this: “Sorry, user aaronk is not allowed to execute ‘/bin/su’ as root on tecmint.”.

$ sudo su
Disable Su Access to Sudo User
Disable Su Access to Sudo User

Disable su Access for a Group of Sudo Users

You can also disable su access for a group of sudo users. For example to disable su access for all users in the group admin, modify the line:

%admin ALL=(ALL) ALL

to this:

%admin ALL=(ALL) ALL, !DISABLE_SU

Save the file and close it.

To add a user to the admin group, run the usermod command (replace username with the actual user):

$ sudo usermod -aG  admin  username

For more information about the su, sudo and sudoers, check their man pages:

$ man su
$ man sudo
$ man sudoers

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

5 Comments

Leave a Reply
  1. But if the user aaronk knows the root password he can still do a “su – root” (without sudo) to gain root access, right?

    Reply
    • @Sven,

      Yes, you are right – If a user knows the root password, he can indeed gain access to the root account on a system.

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.