How to disable “sudo su -” and “sudo passwd root” commands for wheel group users.

  Dedicated Hosting, Shared hosting, VPS Hosting

Introduction

In Linux systems, users who belong to the wheel group are usually granted elevated privileges through sudo. By default, these users may also be able to switch to the root account using sudo su - or reset the root password using sudo passwd root.

For security and access-control purposes, administrators may want to prevent wheel group users from:

  • Switching directly to the root shell
  • Changing the root account password

This guide explains how to restrict these commands while still allowing users to perform permitted administrative tasks using sudo.

Prerequisites

Before proceeding, ensure the following requirements are met:

  • Root or administrative access to the server
  • A Linux server with sudo installed
  • Basic knowledge of Linux command-line operations
  • Access to edit the /etc/sudoers file safely using visudo
  • Existing wheel group configured in the system

Step 1: Create a New User

Create a new user account.

# adduser pheonix

Set a password for the user.

# passwd pheonix

Note: Replace pheonix with your preferred username.

Step 2: Add the User to the Wheel Group

Add the user to the wheel group to grant sudo privileges.

# gpasswd -a pheonix wheel

Verify the group membership:

# groups pheonix

Step 3: Configure Sudo Restrictions

Open the sudoers configuration file using visudo.

# visudo

Locate the following line:

%wheel  ALL=(ALL)       ALL

Replace it with:

Cmnd_Alias BLOCKSU = /bin/su, /usr/bin/passwd root

%wheel ALL=(ALL) ALL, !BLOCKSU

Step 4: Save and Exit

Save the file and exit the editor.

If using vi/vim:

:wq

Step 5: Verify the Restrictions

Login with the wheel user and test the commands.

Test sudo su -

$ sudo su -

Expected output:

Sorry, user pheonix is not allowed to execute '/bin/su' as root.

Test sudo passwd root

$ sudo passwd root

Expected output:

Sorry, user pheonix is not allowed to execute '/usr/bin/passwd root' as root.

Important Notes

  • Always use visudo instead of directly editing /etc/sudoers to avoid syntax errors.
  • Incorrect sudoers configuration can lock out administrative access.
  • These restrictions only block specified commands and do not remove other sudo privileges.

Conclusion

By configuring command restrictions in the sudoers file, administrators can improve system security and prevent wheel group users from gaining unrestricted root access or modifying the root password.

This approach helps enforce the principle of least privilege while still allowing controlled administrative operations through sudo.

LEAVE A COMMENT