How to lock sudo su

tulambin · January 14, 2023, 4:06am

Anyone willing to help me out. I found Ubuntu examples but that won’t work on E0S. Tried it already with

Cmnd_Alias DISABLE_SU = /bin/su

user ALL=(ALL) NOPASSWD: ALL, !DISABLE_SU

Thanks for your assistance…

dalto · January 14, 2023, 4:11am

Don’t forget that the dropins take precedence.

Also, why disable it? There are plenty of other commands that will give you root. Disabling su won’t do much good if you are trying to block root access.

tulambin · January 14, 2023, 4:24am

Ok thanks .
Is this sufficient?

sudo passwd -l root

Any suggestions would be great. Thanks

dalto · January 14, 2023, 4:28am

Can you explain what you are trying to achieve?

You can’t lock out root access completely and still provide sudo access.

Think of all the commands that would give you access to a root shell. I think of 20-30 without even trying but I bet there are 100s of them.

mnrvovrfc · January 14, 2023, 8:58am

“How to lock sudo su”
After you’re successful doing this, you wouldn’t be able to access any of your drives, and any partition which is not “/home”.

Doesn’t Calamares installer offer an option to give the “root” password, and if the user refuses then it’s like Debian/Ubuntu where he/she has to do everything with “sudo” to get “root” permissions?

dalto · January 14, 2023, 3:00pm

Last night I was on my phone so I couldn’t elaborate but here is why blocking sudo su isn’t that useful.

You could use sudo -i.
You could just launch a shell with sudo bash or sudo sh.
You could launch a program that gives you a shell like sudo screen or sudo tmux
You could run a program that lets you run other programs like sudo xargs or sudo <insert file manager here>
You could run a GUI tool that lets you launch a terminal
Etc, etc, etc…

On top of that, sudo isn’t the only tool like that on your system. You could run all of the above commands with pkexec as well.

That is why I was asking what you were trying accomplish. Maybe if we understood why you wanted to do that, we could be more helpful.

Root · January 14, 2023, 3:51pm

You could simply lock the root account.

You would still - if your primary user is in wheel group - be able to elevate permissions.

sudo usermod -L root

Any member of the wheel group would be able to unlock root but if tightening security is your goal this is likely the best option.

All other users on the system could then be ordinary users - best practise on multi-user system.

dalto · January 14, 2023, 3:58pm

That won’t stop sudo su which was the original request.

Root · January 14, 2023, 4:14pm

It is correct that you cannot prevent a member of wheel group to execute sudo su.

The topic title is - as you point out - How to lock sudo su and the answer is you cannot.

That leads to your question - what do you want to do - we still need an answer to that - right?

My thought - thus my comment - is the only reason one would want to block sudo su is to tighten security.

Which was part of my comment - other users created as ordinary users.

lock root account
optional - revert the first line in /etc/shadow to default thus eliminating any and all access to root account
- https://github.com/archlinux/svntogit-packages/blob/packages/filesystem/trunk/shadow
only a few users member of wheel - the rest ordinary users.

That will effectively eliminate the use of sudo su - of course this could be circumvented when superuser is careless with password or uses a simple to guess passwd - and that is an entirely different topic.

dalto · January 14, 2023, 4:27pm

You certainly can stop sudo su from working. I just don’t see how it helps anything.

That being said, I am not sure that locking the root account increases security in any practical way.

tpm · January 15, 2023, 3:51am

can’t just change the password?
su -
give original password

passwd - change new password

new password

tulambin · January 15, 2023, 4:49am

Wow thanks for the discussion and help. I was originally under the impression that locking down sudo su was good security practice policy. I learned how wrong i was, thanks.

I’ve had EOS installed and working for over a year but last week I got an error with certificate ca and I couldn’t connect online for what ever reason so I just installed Cassini. Glad i chose to install the new system because it is so much easier to use with all the new changes.

Awesome Job EOS Team, Thanks!!!

This post is just me setting up my new system and with some questions.

I wish there was a post on the wiki that gave better real world layman examples about system admin
after setting up a new system other than of course the Arch wiki.

Seems I remember a website called “Tips and Tricks” exclusively dedicated to post system install on Ubuntu years ago. It covered everything all in one long single website.

Well enough already Thanks again.

Root · January 15, 2023, 7:41am

The fast and effective method is

sudo pacman -R sudo

I can think of a few

root is the most bruteforced user account in the history of computers
sudo is has the purpose of elevating permissions for trusted users
locking root account eliminates a variable

Locking root account doesn’t prevent a system from being compromised - there are other methods available to hack a system.

Unless you are paranoid in which case you would use qubes-os.org

On a single user system there is absolutely no reason to lock root or disable sudo su, the latter only works if the current user is superuser and the system is unlocked and - either current user has just used sudo for maintenance or the password is too easy.