How to have a user who can 'su' to another user but not allowed to 'su' root
In my server, I have 2 groups: ssh-users and su-users
ssh-users hold users I ssh to the box with. User sshu is a member of ssh-users. Once logged in to the server, I want ssh-users members to be able to perform su to an user of su-users group but don't want them to be able to su root.
su-users hold users who can do core work and want them to have rights to perform su to root or any user.
How can I achieve this on Debian?
I tried the pam_wheel.so module in /etc/pam.d/su but any group I mention there are allowed su to root.
I also tried this but with no effect:
21 Answer
This is the way su works by default. All you need to do is make sure that your root password is secure. To su to any user, you need to know that user's password. So, if your ssh-users don't have root's password, they won't be able to switch to root. As long as they have the target user's pass they will be able to su to that user.
I don't understand what else you need.
5
