Pam Wheel


Set up the pam_wheel module to restrict the execution of su, editing /etc/pam.d/su and (optionally) adding a wheel group.

The root group will be checked if the wheel group does not exist, but it is not recommended to include non-root users in the root group.

Restrict the execution of su

With root privileges uncomment the following line in /etc/pam.d/su, by removing the leading '#':

auth required

That's all for the file and no user (other than root) can execute su anymore. This is the most secure configuration.

Allow a user to execute su

After having restricted the execution of su, create the group wheel with root privileges:

# addgroup --system wheel

And then add user_name to that group:

# adduser user_name wheel

From now user_name can execute su.

CategorySystemAdministration | CategorySystemSecurity | CategoryRedundant: merge with ?Pam