Configure Linux to Restrict SuperUser to One Group

The last thing you would ever want or need on your dedicated server is for an unauthorized user to gain root access. This applies to both those external users with malicious intent and those who have limited privileges and may just play around with their newfound powers. Either way, it is bad news. One practical way to restrict who can even attempt to escalate their user account to root is to restrict the ability of running “su” to a single group.

In this example, you will restrict it to the sysadmin group (Note: some server operating systems may have done this by default. You should check before proceeding).

First, create the sysadmin group:

# groupadd sysadmin

Then, restrict the “su” command to that group:

# chgrp sysadmin /bin/su

# chmod o-rwx /bin/su

Finally, add any users you want to have superuser abilities:

# usermod -g sysadmin username

That is all you have to do. You can now restrict all users except the ones you specify from using the “su” command to become root.