Restrict who can become root with practical, reversible steps that keep admin workflows intact. 22.01.2026 | reading time: 2 min Curious how to stop random users from switching to root while preserving legitimate administration? This short guide shows concrete steps to restrict the `su` command so only trusted accounts can escalate privileges, and it demonstrates the change with commands you can run now. Quick demo Do it: create a wheel group, bind PAM, test failure, then allow an admin account; example session: ```bash # Ensure wheel exists getent group wheel || groupadd wheel # Add admin 'dev' to wheel usermod -aG wheel dev # Enforce wheel in PAM by adding this line to /etc/pam.d/su: # auth required pam_wheel.so use_uid # Test as non-wheel user 'guest' su - # Output: Authentication failure # Now as 'dev' (in wheel) su - # Output: root@host:~# ``` What to watch next Check details: `pam_wheel.so` accepts flags such as `use_uid` to check the invoking user and `deny` or `debug` for behavior; remember that some distributions use group names like 'wheel' or 'root' and that altering PAM affects all `su` clients, so test on a nonproduction host before deploying. Audit, fallback and alternatives Log and recover: enable syslog/auditd to capture denied attempts, keep a root-capable console user in case of misconfiguration, and prefer `sudo` for fine-grained command control when you need per-command policies or auditing instead of blanket root switching. Final thought Limit `su` to reduce attack surface, but do it with careful testing and logging so legitimate administration continues uninterrupted; learn more about LINUX privilege management and consider certifying with CompTIA Linux+ or LPIC-1, with bitsandbytes.academy offering intensive exam preparation. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities processes scripting
