Rhel 7 su command
As an administrator of the Red Hat Linux Enterprise Server 7 or RHEL server. You might need to have root access, at times. The root user or user ID 0 is the local administrator on the system. Though no one stops you login as “root” user, on most systems. But its preferred to gain root access using either su command or by using sudo. Learn to use su command more efficiently and controlling user / password access.
When a user issues the su command without specifying a username, they will be prompted for the root password. If authentication is successful, they will be presented with a root shell. The following are the valid mechanisms to gain root privileges with su:
This presents a nonlogin shell, where the full profile or environment of the root user is not loaded. The result is that some variables—such as $USER—are not reset and the current directory remains unchanged. Although presented with the nonlogin shell, the correct root password is still needed for authentication.
This presents a full login shell for root; all environment variables are set for root. The working directory of a user is changed to become the home directory of the root user, which is usually /root
rhel 7 su command – caution!
Using the su command is a simple way to gain rights. This may be a convenient option for an administrator.
For a small environment, this may be acceptable; however, within an enterprise environment, this is not often viable because auditing is limited. It’s possible to trace who used the su command to gain rights; this will be recorded in the /var/log/secure log file.
As all activities from this point forward will be logged as root, we have no granularity to understand which administrator ran any particular command.
The other big downside with this method is that the user will need to know the root password. This again is a big security issue and a complete no-no.
rhel 7 su command – controlling !
Although we want to use the su command, we can control who has access to su using PAM (Pluggable Authentication Modules). By adding users to the special administrative group: wheel, we can limit access to the su command to members of that group.
To add users to the wheel group, you will need to run # usermod -a -G wheel <username> as root user, where <username> is the login name of the account that should be added to the wheel group. The -a option is used to append a group to the user’s current group membership list.
To ensure that only members of the wheel group use the su command, you must, as root, edit the /etc/pam.d/su PAM configuration file and un-comment the following line by deleting the # character from the start of the line:
With this change in effect, only members of the wheel administrative group will be able to use the su command in order to switch to another user ID.
We can also do a second change to the /etc/pam.d/su PAM file in order to ensure easy access to su for members of the wheel group. The recommendation for this file will be limited to systems—such as classroom or lab machines—never for production servers.
Edit the /etc/pam.d/su file and un-comment the following line by deleting the # character from the start of the line:
With this members of the wheel group are not required to authenticate with a password while using su command.