How to Block β€˜su’ Access for Sudo Users

Linux TLDR
Last Updated:
Reading time: 1 minutes

In UNIX/Linux, su is the most powerful command that allows you to access the root account or another user’s account with their account password.

Although you can easily restrict or disable su command access for a specific user with sudo privileges by following the steps in this article.

Tutorial Details

DescriptionBlock β€˜su’ Access to Sudo Users
Difficulty LevelModerate
Root or Sudo PrivilegesYes
OS CompatibilityUbuntu, Manjaro, Fedora, etc.
Prerequisitesvisudo
Internet RequiredNo

How to Block β€˜su’ Access for Sudo Users

You need to modify the β€œ/etc/sudoers” file in order to prevent or block sudo users from accessing the su command.

But first, take a backup of this file using the following command:

$ sudo cp /etc/sudoers /etc/sudoers.bak

And then open the file using any of the following commands:

$ sudo visudo

#OR

$ sudo nano /etc/sudoers

Create the following alias under the β€œ#Cmnd alias specificationβ€œ comment section.

Cmnd_Alias DISABLE_SU = /bin/su

Output:

Creating an alias inside the sudoers file

Then add the following line at the end of the file, replacing β€œlinuxtldr” with the actual username.

linuxtldr ALL=ALL, !DISABLE_SU

Output:

Blocking su access for sudo users

Save and close the file, then restart the current session to reflect the changes.

Next time, when you try to access the β€œsu” command using sudo, you will be prompted with the following error:

Current logged-in user is disabled from accessing the su command

That’s all for now; sayonara.

Join The Conversation

Users are always welcome to leave comments about the articles, whether they are questions, comments, constructive criticism, old information, or notices of typos. Please keep in mind that all comments are moderated according to our comment policy.