pam_wheel

pam_wheel is configured within PAM service files (e.g., /etc/pam.d/su).

The module is typically invoked as part of an auth or account PAM stack:

module_type control_flag pam_wheel.so [options]

module_type: Specifies the management group, e.g., auth (for authentication) or account (for account management).
control_flag: Determines the module's influence on the overall authentication success/failure, e.g., required, sufficient, optional, requisite.
pam_wheel.so: The shared library file for the module.

debug
    Enables verbose logging to system logs for debugging purposes.

group=name
    Specifies an alternative group to check instead of the default 'wheel' group. For example, group=sudo_users.

deny
    Reverses the logic: grants access if the user is not in the specified group, and denies if they are in the group. Useful for preventing specific groups from accessing a service.

fail_safe
    If the specified group does not exist, this option treats the user as if they are not a member of the group. Without this, a non-existent group may cause the module to fail.

trust
    If the user is a member of the configured group, pam_wheel returns PAM_SUCCESS immediately, regardless of other conditions. This is usually used with sufficient control flag.

uidonly
    Checks only the effective UID (user ID) of the process against the group, ignoring the real UID. This is less common but can be relevant in specific privilege separation scenarios.

use_uid
    When checking group membership, pam_wheel typically checks the real user ID (the user who invoked the service). With use_uid, it checks the target user's UID (the user identity that the service is trying to switch to), which is crucial for su where you're switching to a new user.

pam_wheel is a Pluggable Authentication Module (PAM) that provides access control based on a user's membership in a specific group, traditionally the "wheel" group. It is not a standalone command but rather a shared library (pam_wheel.so) used within PAM configuration files (typically found in /etc/pam.d/).

When configured, pam_wheel checks if the authenticating user (or the target user if use_uid is specified, common for su) is a member of the designated group. Based on its configuration, it can either grant access (if the user is in the group) or deny access (if the user is not, or explicitly denied if deny option is used). It's commonly employed to restrict who can use commands like su to switch to the root user, ensuring only authorized administrators can gain elevated privileges. Its primary purpose is to add a layer of security by enforcing group-based access policies.

Group Management: Proper management of the "wheel" or specified group is paramount. Any user added to this group will gain the associated privileges.
sudo vs. su: While pam_wheel is often used with su, many systems now prefer sudo for granular privilege control, as sudo allows specific commands to be run as root without full root access. pam_wheel only controls who can become root (or another user) via su.
PAM Stack Order: The placement and control_flag of pam_wheel.so within the PAM configuration file are critical. An optional module will behave differently from a required or sufficient one.
Security Implications: If misconfigured (e.g., using deny incorrectly, or granting too many users to the controlled group), it can weaken system security.

The most common application of pam_wheel is to control access to the su command. A typical entry in /etc/pam.d/su might look like this: auth required pam_wheel.so use_uid. This configuration ensures that only users who are members of the wheel group (or the group specified by group= option) are allowed to switch to the root user or another user through the su command, provided no other PAM modules in the stack explicitly permit it.

The concept of a "wheel" group originated in early versions of Unix, particularly BSD, as a way to restrict which users could use the su command to gain root privileges. Only users belonging to the "wheel" group were permitted to "spin the wheel" (i.e., gain root access). As Linux adopted PAM, pam_wheel was developed to provide this traditional access control mechanism within the flexible PAM framework. It continues to be a default part of the su PAM configuration on many Linux distributions, maintaining this historical security practice.

pam(8), pam_unix(8), su(1), sudo(8), group(5), usermod(8)