Hello <div class="gmail_quote">On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones <<a href="mailto:Steven.Jones@vuw.ac.nz" target="_blank">Steven.Jones@vuw.ac.nz</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi, If I login as say user1, 狢 want that user to be able to su - oracle, but not to say su - root (or to any other user). If user2 logins I want them unable to su - X at all and especially not root. If an admin logins in I want them to be able to su - anybody... In a way before I could do that with the wheel group and pam. <div class="im"> regards Steven Jones <div class="h5">rob </div></div></blockquote> </div><pre class="caseCommentStyle publicComment"># cat /etc/pam.d/su auth sufficient pam_rootok.so auth [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1 auth [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access auth [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2 auth requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so</pre> With above configuration. members of group1 will be able to su only to users in /etc/security/su-group1-access members of group2 will be able to su only to users in /etc/security/su-group2-access users which are not in group1 & group2 both will not be able to su to anyone root will be able to su to anyone Hope that helps, Change it as per your requirement. Regards Arpit Tolani