Ask root for password when using su command
Solution 1
Well, it's not really a good idea, but it IS possible. As somebody here pointed out, you can't prevent root from being the computer's god, but you can modify the "su" program to ask for passwords. It can prevent root from re-logging to other accounts unless he compiles his own version of su and uses it.
First, you'll need a compiler to be able to re-build su. As a root, perform:
apt-get install build-essential
Then, download and prepare the GNU Coreutils:
ftp://ftp.task.gda.pl/pub/gnu/coreutils/coreutils-8.13.tar.gz
tar xvf coreutils-8.20.tar.xz
cd coreutils-8.20
./configure
Now access the src directory and locate the su.c file. In line 223, you'll find:
if (getuid () == 0 || !correct || correct[0] == '\0')
Change it to:
if (!correct || correct[0] == '\0')
Now, back in the coreutils-8.20 directory, run make. Compilation might take long time. Once it's done, overwrite the current su binary with the new one:
cp src/su `which su`
And again - you're doing it wrong.
Solution 2
- root never needs a password to do anything. root is an all powerful user. root=superuser=administrator=chucknorris
- as @Cry Havok pointed out /etc/sudoers has nothing to do with
su
, onlysudo
SIDENOTE: running su - <user>
as a regular user (non-root/unprivileged) will always ask for a password.
Solution 3
Root can become any user without requiring any authentication. Even if the su
command was configured to prompt for a password, root could use some other program to issue the underlying system call. The su
command is normally configured not to require a password because it's useless for security, and a lot of non-interactive scripts rely on that to perform tasks as a less privileged user.
On Ubuntu (and many other systems that use PAM), the absence of a password prompt when root runs su
is implemented by the following line in /etc/pam.d/su
:
auth sufficient pam_rootok.so
Note that sudo
and su
are completely different programs. You can't change the behavior of su
by changing the configuration of sudo
.
Related videos on Youtube
Pavel Miron
Updated on September 18, 2022Comments
-
Pavel Miron over 1 year
I'm trying to edit
/etc/sudoers
viavisudo
, but I don't know how to change the root rights.I want root to be prompted for the user1's password, when he tries to use
su user1
.-
Shawn J. Goff over 11 yearsI doubt this is possible, and it doesn't make sense. Why do you want root to be prompted for user1's password? It doesn't actually protect user1's account from root when root doesn't know the password.
-
Pavel Miron over 11 yearsMaybe this is useless. This is just a question from a lab in my university. I guess this is possible, because you can indicate a user the the commands he can use without password. For instance : gatoatigrado ALL=NOPASSWD: /bin/set-slow-cpufreq
-
Shawn J. Goff over 11 yearsAh, I see. So you could probably exclude su from the ALL tag to make this work.
-
Cry Havok over 11 yearssudo and su are 2 completely different commands. Nothing you do to /etc/sudoers will have any impact on how the su command behaves.
-
Pavel Miron over 11 yearsWell, I added a new line to the the /etc/sudoers: root ALL = (ALL:ALL) PASSWD:/usr/bin/su. Unfortunately still not working:(
-
Pavel Miron over 11 yearsCry Havok, but will have impact on how root acces the su, I guess.
-
Pavel Miron over 11 yearsShould be this. I commented the first line : auth sificient pam_root.so , but doesn't work.
-
Shawn J. Goff over 11 years@ice_mint You should answer the question with the details. Also, possibly make the question more generic so that it's more useful.
-
-
J doe over 7 yearsNot true. Chucknorris once removed the root account from all Unix machines in the world. He just added it back a few seconds later because he decided to be benevolent.