You can prevent *anybody* to su to root.
As the admin, you would create an user for yourself and add yourself to the wheel group (and removed unwanted users).
Quote:
If group 0 (normally ``wheel'') has users listed then only those users
can su to ``root''. It is not sufficient to change a user's /etc/passwd
entry to add them to the ``wheel'' group; they must explicitly be listed
in /etc/group. If no one is in the ``wheel'' group, it is ignored, and
anyone who knows the root password is permitted to su to ``root''.
|
You would use sudo as it can be fine-tuned (20 pages man page) but the OpenBSD defaut /etc/sudoers is OK for most workstations: just visudo and un-comment what is needed.
Also note the difference between;
su
and su -l root
which simulates a full login.
You can achieve this for sudo but need to rtfm.