pam_wheel.so [
debug
] [
deny
] [
group=name
] [
root_only
] [
trust
]
The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits access to the target user if the applicant user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0.
debug
Print debug information.
deny
Reverse the sense of the auth operation: if the user
is trying to get UID 0 access and is a member of the
wheel group (or the group of the group option),
deny access. Conversely, if the user is not in the group, return
PAM_IGNORE (unless trust was also specified,
in which case we return PAM_SUCCESS).
group=name
Instead of checking the wheel or GID 0 groups, use
the name
root_only
The check for wheel membership is done only when the target user UID is 0.
trust
The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
Authentication failure.
Memory buffer error.
The return value should be ignored by PAM dispatch.
Permission denied.
Cannot determine the user name.
Success.
User not known.
The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so