Red Hat Bugzilla – Bug 12161
wheel group functionality
Last modified: 2008-05-01 11:37:56 EDT
I think that wheel group functionality is one security related thing that
could be enabled by default in the next release of Red Hat. The "wheel"
group thing is relly easy to add in Red Hat after installation thanks to
PAM, but it always annoys me that I have to manually enable it, and that it
is turned off by default.
The "wheel group" functionality is a default one in FreeBSD. The "wheel"
group is a group with those users that should be able to use "su" to
become root. All other users are being shut out from that possibility:
If they try su:ing to root, and even if they should supply the correct
password, the only response they'll get is the standard "incorrect
Adding this functionality is a matter of adding the line
auth required /lib/security/pam_wheel.so
to /etc/pam.d/su and adding those users who should to be able to su to
root to the "wheel" group in /etc/group.
I suggest that the above line be added as default to /etc/pam.d/su, and
thus the wheel group functionality be default in the next release of Red
Noticed that /etc/pam.d/su belongs to the sh-utils package, and changed the
We would get numerous complaints about users not being able to "su" to get a
root shell if we did this. Using pam_wheel is a site-specific decision, but in
cases where the administrator is not aware of its existence, pam_wheel can be
Well, IIRC pam gives the same error message for password error, account expired,
and whatever. This would no doubt be confusing.
However, if 'su' said something to the effect:
su: you are not in the correct group to su root.
This would be self-documenting.
A lighter approach might be to change file permissions of 'su' and perhaps other
similar relevant programs so that only group 'wheel' can even execute them.. No
complaints about peculiar error messages.
That the upgrade path is difficult is, in my opinion, not a reason not to
include a severe security enhancement. The installation program could during an
upgrade warn about the changed behavior and ask what users (UID>500), taken from
the password file, should be able to switch to the superuser via "su".
I've not met anyone who thought that this wheel group behavior shouldn't be the
default. It would be a huge boost in Red Hat PR to the security-conscious Linux
users and admins.
email@example.com suggested that the line
#auth required /lib/security/pam_wheel.so group=wheel use_uid
be put (commented) in /etc/pam.d/su . This way, the default bevavior would be
the same as ever, but it would be easier for those who want wheel group
functionality to enable it.
Personally, I still think that wheel group functionality should be the default,
but this way Red Hat won't have so much trouble with confused users and the
upgrade path, and those who want this will have it easier.
As for the options to the line above, i don't know if the options are the right
(is group=wheel still needed? I think it was resolved in bug 5719), but that
commented line would anyway be a good idea.
Adding a commented line to the su configuration file is definitely not a
problem. I'll make that change today.
firstname.lastname@example.org told that the lines in Debian's /etc/pam.d/su
were like this (I added group=wheel to the first line though):
# Uncomment this to force users to be a member of group wheel
# before they can use `su'.
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so group=wheel
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
I think the explainatory lines and examples are nice. Maybe this could be used
in Red Hat's /etc/pam.d/su too?
One of the comments above has arguments "group=wheel use_uid" to pam_wheel.so,
but the comment added to the file when closing this bug doesn't. Just to
double-check: are those parameters required?
The "group=wheel" should not be required. The logic in pam_wheel defaults to
using the wheel group, and the group with GID=0 if the wheel group does not
exist. The "use_uid" option checks using the UID of the calling process instead
of using getlogin(), which I actually think should have been the default.
I've verified this in beta3. Nalin has fixed this and also my suggestion with
some explanatory comments. This is the contents of /etc/pam.d/su in beta3:
auth sufficient /lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
Looks good to me. I'm closing this now.