Pam Wheel


Set up the pam_wheel module to restrict the execution of su to members of the wheel group. This involves editing /etc/pam.d/su and (generally) adding a wheel group. The root group will be used if the wheel group does not exist, but it is not recommended to include non-root users in the root group.

Restrict the execution of su

With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':

auth required

Now no user (other than root, and anyone else in the root group) can execute su.

Allow a user to execute su

After having restricted the execution of su, create the group wheel with root privileges:

# addgroup --system wheel

And then add user_name to that group:

# adduser user_name wheel

Now user_name can execute su. Repeat the adduser call for other users if required.

CategorySystemAdministration | CategorySystemSecurity | CategoryRedundant: merge with ?Pam