Home > Articles > Operating Systems, Server

  • Print
  • + Share This
From the author of

Putting PAM to Work: Enforcing wheel

It is traditional on Unix-like systems to allow certain actions to occur only if the user in question is a member of the wheel group, reserved by convention for users with system administration type of access. Among the actions usually restricted to wheel is the su command, which allows one user to take on the user ID of another user, most often the root user.

Many users are surprised to learn that the wheel group is not enforced by default on Linux systems, meaning that any user at all can execute the su command and use it to log in as root if the password is known. Clearly, the ability to execute su to completion is a security risk in the hands of normal users. Let's remedy the situation.


If you're not aware of the wheel group, don't worry—it's not hard to implement. The wheel group is simply a way of restricting access to some sensitive services (such as su) to a small group of users who have been given administrative privileges. You probably have a wheel group in your /etc/group file already. If not, simply add one with groupadd and then add users as necessary to the wheel group to create your administrator class. For example, if you want frank, mary, and joe to be administrators, the wheel entry in your /etc/group file might look like this:


This line makes frank, mary, and joe members of the wheel group. Then, using simple techniques such as those documented in this section, you can grant access to services such as su only to these users.

We're going to amend the /etc/pam.d/su file, which controls the authentication behavior of the su command, to the following behavior:

  • Allow only members of the wheel group to use su at all.

  • Require all users, even root, to enter a password when trying to use su to gain root-level access.

  • Log all su uses.

The updated /etc/pam.d/su file looks like the one shown in Listing 4.

Listing 4 Updated /etc/pam.d/su File

auth       required   pam_warn.so
auth       requisite  pam_wheel.so group=wheel
auth       required   pam_pwdb.so
account    required   pam_pwdb.so
password   required   pam_pwdb.so use_authtok

session    required   pam_pwdb.so

This /etc/pam.d/su file is obvious in its use of the pam_pwdb.so module, well documented in the PAM users guide and used often throughout the other PAM configuration files. New here, however, is the pam_wheel.so module, which simply checks to make sure that the user is a member of the wheel group. Because it is marked as requisite, if the stack entry fails (when the user is not a member of wheel), the stack exits immediately in failure without continuing. Thus, only members of wheel will even be asked to enter a password. All others will be denied from the beginning.


If you want to implement wheel and protect su against access from non-wheel members, you should also take another step: Change ownership of the su binary to the wheel group and remove public execute permissions, as follows:

chown root.wheel /bin/su

chmod 4750 /bin/su

  • + Share This
  • 🔖 Save To Your Account