Disable SU access for sudo users

11. January 2017 AWS, CentOS, RHEL 4
Disable SU access for sudo users

Some times you need to disable sudo su – access on your environment so that the users will use sudo command always and they will not switch to any other users account unnecessarily

Lets see how to do it

  • Edit the /etc/suoders by running visudo
    visudo
  • Add the below Command Alias
    Cmnd_Alias BLOCKSU = /bin/su
  • If you want to block SU for only a particular user, you can use the below entry.
    user1 ALL=(ALL) NOPASSWD: ALL, !BLOCKSU
  • If you want to block it for all the users via a group like wheel, Then the below entry change will do the job
    %wheel ALL=(ALL) ALL

    to
    %wheel ALL=(ALL) ALL, !BLOCKSU

    Update: This is not a bulletproof solution, You can find ways to bypass this in the comment section.

4 thoughts on “Disable SU access for sudo users”

  • 1
    yyagol on February 11, 2020 Reply

    bypass very easy ,
    As regular user run

    cp /bin/su /bin/mysu
    chmod +x /bin/mysu
    sudo mysu –

    • 2
      Jobin Joseph on February 11, 2020 Reply

      Is it working for you if you set the recommendation like in the blog post ?

  • 3
    Christian B on July 6, 2020 Reply

    Bypassed with a simple “sudo sudo su”

  • 4
    Ales on August 31, 2020 Reply

    bypass if you use sudo -i

Leave a Reply

Your email address will not be published. Required fields are marked *