How to Disable su Access for sudo Users

The su command could be an extraordinary Linux command that permits you to run a command as another client and gather. It moreover permits you to switch to the root account (in the event that runs without any contentions) or another indicated client account.

All clients by default are permitted to get to the su command. But as a framework chairman, you’ll be able to impair su get to for a client or bunch of clients, utilizing the sudoers record as clarified underneath.

The sudoers record drives the sudo security approach plugin which decides a user’s sudo benefits. The sudo command permits clients to run programs with the security benefits of another client (by default, as the root client).

To switch to another client account, a client can run the su command from their current login session as appeared. In this case, the client john is exchanging to a test client account. The client john will be provoked to enter the watchword for the test client account:

$ su test

To switch to the root account, a client must have the root secret word or have benefits to conjure the sudo command. In other words, the client must exist within the sudoers record. In this illustration, the client john (a sudo client) is exchanging to the root account.

After conjuring sudo, the client john is incited to enter his or her watchword, in case it’s substantial, the client is allowed get to to an intuitive shell as root:

$ sudo su

To Disable su Access for a Sudo User

To debilitate su get to for a sudo client for case the john client over, to begin with, back up the first sudoers record found at /etc/sudoers as takes after:

$ sudo cp /etc/sudoers /etc/sudoers.bak

At that point open the sudoers record utilizing the taking after the command. Note that it’s not prescribed to alter the sudoers record by hand, continuously utilize the visudo command:

$ sudo visudo

Beneath the area of command assumed names, make the taking after assumed name:

Cmnd_Alias DISABLE_SU = /bin/su

At that point include the taking after line at the conclusion of the record, supplant the username john with the client you want to cripple su get to for:


Save the record and near it.

At that point test to confirm that setup is working as takes after. The framework ought to return a blunder message like this: Sorry, user john is not allowed to execute ‘/bin/su’ as root on tecmint.”.

$ sudo su

Disable su Get to for a Group of Sudo Clients

You’ll too disable su get to for a group of sudo users. For case to disable su get to for all clients within the group admin, modify the line:

%admin ALL=(ALL) ALL

to this:


Save the file and close it.

For more information, approximately the su, sudo, and sudoers, check their man pages:

$ man su
$ man sudo
$ man sudoers

If you liked this article, then please donate us!


Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here :