Objective: Restrict the use of
su by limiting access to a certain group of users.
To restrict only members of the
wheel group to use the
su command, add the following entry to
auth required pam_wheel.so group=wheel
You will have to make sure that the above entry is appended below the rule using
pam_rootok PAM module.
auth sufficient pam_rootok.so auth required pam_wheel.so group=wheel
pam_rootok is a PAM module that authenticates the user if the UID is
wheel group does not exist on the system,
pam_wheel will use the group with group id
0 which is usually the
root group. On Ubuntu systems,
wheel group is not created by default. To add the
wheel to a system, user
# groupadd wheel
To add a user to the
wheel group, use the
# usermod -G wheel ibrahim
If possible, use
sudo instead of
su as it provides better control and security.