# is it possible....

## honeymak

to limit some accounts NOT to be su by any others except root?

i don't mean the capability of running the su command

e.g. i want user account A that will never be su by user account B who is capable of running su command

so,

root can su - A

while 

userB CANNOT su - A AND userB CAN su - C

 :Embarassed: 

----------

## shazeal

Dont tell userB userA's password? Sorry its hard to see why you would want a system like this in the first place?

----------

## honeymak

when auditors are at your back,

u know why

----------

## rainer

Isn't that what the wheel group is good for?

User A  -->  member of wheel group  -->  can su

User B  -->  not member of wheel group  -->  cannot su

I'm not sitting in front of my Gentoo machine right now - but that's what I remember...

----------

## wthrowe

Use sudo instead of su.  It allows finer grained control of who can do what as whom.

----------

## honeymak

hm.....seems this is the missing use case for su/sudo design

i am not needing any capability to be doing anything as anyone

i just want certain accounts that CANNOT be su-ed by any others except root

u may say 'deny to be su-ed except root'

 :Embarassed: 

----------

## rainer

Not sure whether I understand. What do you mean with "be su-ed by any others"?

Probably your problem can be solved by rights allocation.

----------

## wthrowe

I still think sudo can do what you want, although you might have to list all the allowed users.  Something like (UNTESTED)

```
Defaults       targetpw = on

Runas_Alias    ALLOWED_SU_TARGETS = userB userC userD everyone_except_userA

Cmnd_Alias     SHELLS = /bin/bash /bin/sh /bin/tcsh /whatever/other/shells/you/use

ALL            ALL = (ALLOWED_SU_TARGETS) SHELLS
```

And then users can

```
sudo -i -u userC
```

----------

## phajdan.jr

From what I understand, you want to disallow user A to use so to become user B.

But if user A is allowed to use su, he can su to root, and the su to B. If you want to allow user A to su to some users, but not others, sudo seems to be a better option.

But the simplest solution is to not let the users use su at all.

----------

## honeymak

wthrowe's reply is more likely....but seems a tedious task...becoz that's not by design, i can't negate

so i have to do ALL users x ALL targets cases   :Crying or Very sad: 

phajdan.jr, it's not possible in my situation

 :Crying or Very sad:   :Crying or Very sad: 

----------

## honeymak

ooops.....seems i just found my answer in sudoers manpage

 :Embarassed: 

i will give it a try

 :Twisted Evil: 

----------

