From 9a327e7965e31d82a30a0a3b70817a64ad778355 Mon Sep 17 00:00:00 2001
From: IMTheNachoMan <imthenachoman@gmail.com>
Date: Mon, 14 Dec 2020 18:50:15 -0500
Subject: [PATCH] #41

---
 README.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/README.md b/README.md
index 57f3f0a..8f78eb4 100644
--- a/README.md
+++ b/README.md
@@ -822,6 +822,46 @@ sudo lets accounts run commands as other accounts, including **root**. We want t
 
 ([Table of Contents](#table-of-contents))
 
+### Limit Who Can Use su
+
+#### Why
+
+su also lets accounts run commands as other accounts, including **root**. We want to make sure that only the accounts we want can use su.
+
+#### Goals
+
+- su privileges limited to those who are in a group we specify
+
+#### References
+
+- Thanks to [olavim](https://github.com/olavim) for sharing [this idea](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/41)
+
+#### Steps
+
+1. Create a group:
+
+    ``` bash
+    sudo groupadd suusers
+    ```
+
+1. Add account(s) to the group:
+
+    ``` bash
+    sudo usermod -a -G suusers user1
+    sudo usermod -a -G suusers user2
+    sudo usermod -a -G suusers  ...
+    ```
+
+    You'll need to do this for every account on your server that needs sudo privileges.
+
+1. Make it so only users in this group can execute `/bin/su`:
+
+    ``` bash
+    sudo dpkg-statoverride --update --add root suusers 4750 /bin/su
+    ```
+
+([Table of Contents](#table-of-contents))
+
 ### NTP Client
 
 #### Why