I'm new to Debian, but learning things very fast.

Working on Debian Wheezy, and I realize that if I create a new user with useradd, the user gets sudo rights! To test this, I log in with the new user through ssh, and I find that the user can sudo, and it prompts for root's password, and as the new user enters the root password, the user gets root access!

When I run more /etc/group, the sudo group only has one original user that I created while installing Debian to have sudo rights so that I don't have to log in through root for security.

But to my surprise, every new user created, even though not added to sudo group, is getting the right to sudo. Why is this happening? Anyway, my /etc/sudoers file has the following lines uncommented :

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root    ALL=(ALL:ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

I'm suspecting the last line to be responsible for this. Is it due to the same? How I can stop every new user from getting the right to sudo? Thanks.

  • I would delete and/or comment the line out and see if anything changes.
    – Ramhound
    Commented Nov 15, 2013 at 19:54
  • the new user's name is aa,now if I do id aa, I get this: uid=1001(aa) gid=1001(aa) groups=1001(aa)
    – Vishal
    Commented Nov 15, 2013 at 19:57
  • Rambound, but that came out of the box! Seems a default setting... and nowhere its mentioned with deb that this would happen with new users... I'm even logged into my new deb vps on ec2, the same scenario there, even though the /etc/sudoers file is blank!
    – Vishal
    Commented Nov 15, 2013 at 20:00
  • 4
    Are you sure you are not mixing su and sudo? You make a reference to the root password, but sudo uses the USERS password to elevate to root - if she is in the sudoers... Commented Nov 15, 2013 at 20:07
  • Oh! Yes, I'm sorry,, never knew sudo and su are different,, yes I checked, I was doing su with the new users, and once I enter root's pwd, I gain root access! So, is that how it's made to function? But I need to block users from able to su/sudo both. How can I do that? Should I change the title of this post? Thanks Mattias. Thanks a lot for helping me.
    – Vishal
    Commented Nov 15, 2013 at 20:17

1 Answer 1


You can use pam_wheel to disable su access for users not in the wheel group. This requires you to add a wheel group using addgroup --system wheel.

Then, add users who should have access to su to the wheel group using usermod -a -G wheel user.

Finally, add the following line to /etc/pam.d/su: auth requisite pam_wheel.so group=wheel.

  • Thanks for this info 67, am new to linux, will learn PAM management soon.
    – Vishal
    Commented Nov 16, 2013 at 12:52
  • If you want to completely disable su, you can skip adding a wheel group to your operating system. Just keep in mind that you need either to be in the sudoers group (and have a properly configured / default sudo installation) or you need to have physical access to the machine in order not to be locked out for administrative tasks. Commented Jan 5, 2016 at 9:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .