pam_wheel

pam_wheel.so [debug] [group=groupname] [uid=uid] [use_uid] [trust] [deny]

debug
    Enables verbose debugging messages to be logged via syslog.

group=groupname
    Specifies the group name that is authorized to acquire root privileges. Defaults to 'wheel' if not specified.

uid=uid
    Specifies a user ID (UID) that is authorized to acquire root privileges. This is an alternative to using a group membership. It overrides group parameter.

use_uid
    Uses the effective UID instead of the real UID. Useful for programs that change the UID before calling PAM.

trust
    If the user is a member of the configured group, the module returns PAM_SUCCESS immediately without performing any further checks. Essentially, it 'trusts' the group membership.

deny
    If the user is NOT a member of the configured group, the module returns PAM_SUCCESS. Otherwise, the module returns PAM_AUTH_ERR. This option reverses the behavior, allowing you to deny access to users outside the specified group.

The pam_wheel module is a Pluggable Authentication Module (PAM) that provides a mechanism to restrict root access (or other elevated privileges) to members of a specific Unix group, typically the 'wheel' group. It checks if the user attempting to gain privileges is a member of the configured group. If they are, the authentication proceeds. If not, it fails. This module enhances security by limiting who can escalate their privileges, reducing the risk of unauthorized system modifications.

It's commonly used with tools like su, sudo or login to ensure only members of the designated group can become root. Using pam_wheel requires configuring your /etc/pam.d/ configuration file.

Note: The pam_wheel.so module must be loaded before the pam_rootok.so or pam_succeed_if.so modules in the PAM configuration file.

Misconfiguration of pam_wheel can lock you out of root access. Always test changes in a safe environment before applying them to production systems. Ensure that the 'wheel' group exists and is correctly configured.

To restrict root access via su to members of the 'wheel' group, you would add the following line to your /etc/pam.d/su file:
auth required pam_wheel.so group=wheel

This line should be placed before any lines that grant root access (e.g., before auth sufficient pam_rootok.so or auth sufficient pam_succeed_if.so uid = 0).

Ensure the integrity of your system's group database. Compromised group membership can circumvent the protection offered by pam_wheel. Regularly audit group memberships and enforce strong password policies.

su(1), sudo(8), pam(8)