From b570b30ad230292da7eaaad26a22437ffdab9b7e Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Wed, 13 Jun 2018 14:43:13 +0200
Subject: [PATCH] common: prevent normal users from running su

---
 roles/common/tasks/Debian.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml
index 468827b..916fc57 100644
--- a/roles/common/tasks/Debian.yml
+++ b/roles/common/tasks/Debian.yml
@@ -62,3 +62,9 @@
 - name: Disable hibernation/resume
   copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
   notify: update-initramfs
+
+- name: Prevent normal users from running su
+  lineinfile:
+    path: /etc/pam.d/su
+    regexp: '^# auth       required   pam_wheel.so$'
+    line: 'auth       required   pam_wheel.so'