Allow only a user to su

Ehy here!
How do you allow only a standard user to su - ?
I added the chosen user and root to the wheel group, uncommented “auth required use_uid” in /etc/pam.d/su and in /etc/pam.d/su-l.

Result: Pamac and other apps don’t accept the root password anymore;
the user is now promoted to “administrator” in KDE’s system settings.

What I wish to accomplish: a standard user be the only one able to su to root.

Why not simple remove the unprioritised user from wheel group?

By the way, normally Pamac and other applications requesting a password (as privilege escatlation) ask for the password of the user and not of root.

Thank you for aswering.
I wouldn’t know what an “unprioritised user” is; anyway, my wheel group is emty.
Read your links but couldn’t find the aswer to my question.
By the way, my Pamac when requested to do administrative tasks asks for the administrator’s password, which is root on my system, that of a standard user fails, as I think it should be.

The root account doesn’t need to be added to the wheel group. It already has write access to everything.

Certain applications rely on the polkit framework for privilege escalation ─ Pamac is one of them ─ and if the user is a member of the wheel group, then these applications will ask for the user’s own password, not the root account’s password.

Didn’t you just say that you added your user to the wheel group?

1 Like

Hi Aragorn,
thanks for the very clear explanations.

Didn’t you just say that you added your user to the wheel group?

right, I added the user to the wheel group, but it didn’t work as expected, so I “rolled back”.
Therefore the situation is:
we have root, group root;
we have standard user1, group user1 (not default. Dunno why the default Manjaro’s user is made “administrator”, don’t share that choice, which imho is more suitable for a William H. Gates III’ OS;)
we have group wheel, which is empty (default config here).
How do we allow user1 and only user1 to su to root?
(preventing everybody else -present and future users- to be able to ‘su -’ )

The way you did it earlier, i.e. add the user to the wheel group and uncomment that line in /etc/pam.d/su and /etc/pam/d/su-l.

Do however keep in mind that this is distinct from the polkit setup, which asks the user for their own password if they are in the wheel group, or for the root password if they are not ─ provided that a root password was set, because if one chooses the same password for root as for the user during system installation, then the root account won’t have a password and cannot be logged into, similar to how it is done in Ubuntu and derivatives (and possibly even Debian by now).

Thank you Aragorn for the confirmation, I wasn’t sure of the procedure.
I’ve always kept separate passwords for everything, and I’ve never used the wheel group before, so I felt not at ease with an user suddenly become “administrator”. I’ll mark the case solved, thank you.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.