How to Block Regular Users from Using the su Command on Linux

The su command lets a user run commands as another user or group, often used to switch to the root account. By default, every Linux user can invoke su, which may be undesirable in a multi‑user environment.

Backup the sudoers file

Before making any changes, create a copy of /etc/sudoers to preserve the original configuration:

sudo cp -p /etc/sudoers /etc/sudoers.back

Edit sudoers safely with visudo

Open the sudoers file using visudo, which checks syntax before saving:

sudo visudo

Define a command alias that disables su

Locate the ## Command Aliases section and add the following line:

Cmnd_Alias DISABLE_SU = /usr/bin/su

Restrict a specific user

At the end of the file, add a rule for the user (replace bob with the target username) that denies the alias while keeping other sudo privileges: bob ALL=(ALL) NOPASSWD: ALL, !DISABLE_SU Save and exit. When bob attempts to run su - user01, the system will respond with an error such as:

Sorry, user bob is not allowed to execute '/bin/su - user01' as root on localhost.localdomain.

Disable su for an entire group

To block all members of a group (e.g., wheel), add a similar rule using the group name: %wheel ALL=(ALL) ALL, !DISABLE_SU After saving, any user belonging to the wheel group will be prevented from using su.

Verification

Test the restriction by switching to the affected user and running the su command. The expected error confirms that the configuration works as intended.