Access to su without being in the wheel group (the PAM way)

nadampel · n00b Joined: 14 Mar 2018 Posts: 1

If you're like me, then you're a little nervous about granting your non-root user access to the wheel group just so you can use su when you need to. Users in the wheel group are a little more powerful than the standard user, and I like to keep my non-root user as powerless as possible (it's a power trip

)

There are a couple of ways to do this. In particular, you can do this with sudo and the /etc/sudoers file, but I am not adept in the ways of sudo (perhaps someone can post a reply instructing how to do this with sudo?), and I prefer the simpler solution of using PAM (Pluggable Authentication Modules) directly.

First, make sure that you have PAM installed.
Code:
emerge sys-libs/pam

Now, edit the /etc/pam.d/su file. This file contains configuration information about which PAM modules to load to enforce security with respect to the su command. In this file, look for the line that looks like this:
Code:
auth required /lib/security/pam_wheel.so use_uid

This line loads the pam_wheel.so module, which tells PAM that in order to use su, it is required that the requesting user be a part of the wheel group. We can change this default behavior by telling PAM that we want it to check for a different group. Simply append group=<nameOfGroup> to the end of that line to make su recognize a group other than wheel. For example:

Code:
auth required /lib/security/pam_wheel.so use_uid group=sugrp

In this case, PAM will require that any user requesting to use the su command must be a member of the sugrp group.

All that remains is adding to the appropriate group all of the users that you want to use su.

NOTE: This method affects all use of the su command, even to users other than the root. That is, if a particular user in not a member of the appropriate group (wheel or otherwise), then that user cannot use su at all, even to su to another non-root user. Power trip, baby!

depontius · Advocate Joined: 05 May 2004 Posts: 3522

Doesn't this just confer the privileges of "wheel" to the new group you've chosen? Isn't this just wheel, by another name?
_________________
.sigs waste space and bandwidth

Hu · Administrator Joined: 06 Mar 2007 Posts: 22705

Mostly, yes. It does separate wheel's ability to su from all the other privileges that the wheel group grants, so you can give someone those privileges and not su or vice versa. On my system, those privileges amount to the ability to run /usr/sbin/cron. That's the only filesystem-related permission where wheel is used. So in practice, yes, it's almost equivalent to merely renaming wheel.

steveL · Posted: Sun Apr 08, 2018 6:20 pm Post subject: