Disable su on machine
Yep, the 'wheel' group trick is also available on linux: you just need to configure pam for it and then, only wheel members can run su.
On Debian, you have to uncomment the wheel line of /etc/pam.d/su
This is definitely the first thing to do on any server, or else, any webserver/ hacked can lead to a root hack.
A weak password for root is foolish, regardless of the controls on 'su'. Even if user 'root' can only login at a console in a restricted machine room, I would not allow user 'root' to have a weak password.
I'd suggest disabling 'su' altogether and using 'sudo' for everything. By disabling, I mean any of:
- Exploiting any system-specific means of restricting access to 'su' (such as the group 'wheel' trick for BSD, or the Linux equivalent). Note that there is no formal standard for this; POSIX does not mandate the presence of 'su', for example.
- Remove it (
rm -f /bin/su
). - Remove its execute permission bits (
chmod o-x /bin/su
orchmod go-x /bin/su
). - Remove its setuid permission bit (
chmod u-s /bin/su
).
The residual problem with disabling 'su' by removing it or removing permission bits is that some system scripts may depend on su
being present. There isn't a particularly clean solution for that - but they are generally few and far between because 'su' prompts for a password and prompting isn't liked in scripted environments. The other time 'su' is used is when 'root' runs the command to become another user; this is supported by removing the setuid bit (user root can run it, but no-one else can do so usefully). You might reinforce that by removing public and possibly group execute permission too (chmod u-s,go-rwx /bin/su
).
If you are not using one of the system-specific means, be very careful; test before putting this into production.
If you system uses PAM then you can disable su
properly by putting something similar in /etc/pam.d/su
:
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Disable all other uses of su
auth requisite pam_deny.so
# [rest of file]