pam_wheel 8 Linux-PAM Linux-PAM Manual pam_wheel Only permit root access to members of group wheel pam_wheel.so debug deny group=name root_only trust The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits access to the target user if the applicant user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0. debug Print debug information. deny Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in which case we return PAM_SUCCESS). group=name Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication. root_only The check for wheel membership is done only when the target user UID is 0. trust The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). The auth and account module types are provided. PAM_AUTH_ERR Authentication failure. PAM_BUF_ERR Memory buffer error. PAM_IGNORE The return value should be ignored by PAM dispatch. PAM_PERM_DENY Permission denied. PAM_SERVICE_ERR Cannot determine the user name. PAM_SUCCESS Success. PAM_USER_UNKNOWN User not known. The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants. su auth sufficient pam_rootok.so su auth required pam_wheel.so su auth required pam_unix.so pam.conf5 , pam.d5 , pam7 pam_wheel was written by Cristian Gafton <gafton@redhat.com>.