Pam Wheel

Introduction

Set up the pam_wheel module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.

The root group will be checked if the wheel group does not exist, but it is recommended to leave that group to root alone.

Restrict the execution of su

With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':

#auth       required pam_wheel.so

That's all for the file and no user can execute su anymore. This is the most secure configuration.

Allow a user to execute su

After having restricted the execution of su, create the group wheel with root privileges:

# groupadd wheel

And then add user_name to that group:

# usermod -G wheel user_name

From now user_name can execute su.