There are two users in ubuntu (let's call them user1 and user2). Currently, user1 can get access root access using the below commands:
user1@sai:~$ su
Password:
root@sai:/home/user1#
However, I want to deny user1 from getting root access, and instead allow user2 to get root access through sudo when desired by modifying the Pam configuration file in /etc/pam.d/su file.
How can I do this?
This is what /etc/sudoers does with the help of some groups.
By default, if a user is a member of group admin or group sudo, they'll have the ability to run commands as the root user. So, we can just remove the user from these two groups:
sudo gpasswd -d sudo user1
sudo gpasswd -d admin user1
Note that this will not take effect immediately. user1 must log out and back in for this change to take effect.
To give user2 access to root, you may add them to either of these groups. Personally, I prefer to add them to the sudo group, like so:
sudo usermod -aG sudo user2
Again, user2 needs to log out and back in for these settings to take effect.
Note, though, that it may be possible for user1 to have a record in the /etc/sudoers file, in which case you need to delete that record.
When editing /etc/sudoers, never edit it by hand! Instead, use the visudo command, which will validate that you're not going to accidentally break your config irreversibly. Execute this with the sudo visudo command.
