# Access to su without being in the wheel group (the PAM way)

## grafty

Access to su without being in the wheel group (the PAM way)

If you're like me, then you're a little nervous about granting your non-root user access to the wheel group just so you can use su when you need to.  Users in the wheel group are a little more powerful than the standard user, and I like to keep my non-root user as powerless as possible (it's a power trip   :Smile:  )

There are a couple of ways to do this.  In particular, you can do this with sudo and the /etc/sudoers file, but I am not adept in the ways of sudo (perhaps someone can post a reply instructing how to do this with sudo?), and I prefer the simpler solution of using PAM (Pluggable Authentication Modules) directly.

First, make sure that you have PAM installed.

```
emerge sys-libs/pam
```

Now, edit the /etc/pam.d/su file.  This file contains configuration information about which PAM modules to load to enforce security with respect to the su command.  In this file, look for the line that looks like this:

```
auth required /lib/security/pam_wheel.so use_uid
```

This line loads the pam_wheel.so module, which tells PAM that in order to use su, it is required that the requesting user be a part of the wheel group.  We can change this default behavior by telling PAM that we want it to check for a different group. Simply append group=<nameOfGroup> to the end of that line to make su recognize a group other than wheel.  For example:

```
auth required /lib/security/pam_wheel.so use_uid group=sugrp
```

In this case, PAM will require that any user requesting to use the su command must be a member of the sugrp group.

All that remains is adding to the appropriate group all of the users that you want to use su.

NOTE: This method affects all use of the su command, even to users other than the root.  That is, if a particular user in not a member of the appropriate group (wheel or otherwise), then that user cannot use su at all, even to su to another non-root user. Power trip, baby!  :Smile: 

----------

## drakonite

What extra powers does a person in the wheel group have besides being able to use su?

----------

## grafty

The wheel group (used more commonly in BSD's than in linuxes) is traditionally used for quasi-admistrative purposes.  For a list of all of the files that wheel members have access to, try this:

```
find / -group wheel
```

On my system, for example, members of the wheel group have access to almost 7000 files to which normal users do not have access.

----------

## rac

But if somebody's a member of the sugrp group, they can become root and do anything anybody in wheel could have done.

----------

## compu-tom

What if I only want to give a user the permission to "su anybody" where anybody is not root?

Su doesn't mean necessarily becoming root.

Nevertheless the user has "wheel" permissions now because I had to add the user to "wheel"...

----------

## grafty

 *rac wrote:*   

> But if somebody's a member of the sugrp group, they can become root and do anything anybody in wheel could have done.

 

Only if they know the root password.  If you're a member of the wheel group, you automatically have access to wheel files.  If you're not a member of the wheel group, but instead a member of the sugrp group, then you CAN su to root, but you have to enter in the password.

Even if you didn't have to enter the root password (which you can set up), you would still be safer running things as your standard non-root user because you know you can't break things that wheel users can break (unless you su to root).  It's the whole purpose of not running everything as root in the first place.

----------

## rtn

 *grafty wrote:*   

> 
> 
> There are a couple of ways to do this.  In particular, you can do this with sudo and the /etc/sudoers file, but I am not adept in the ways of sudo (perhaps someone can post a reply instructing how to do this with sudo?), and I prefer the simpler solution of using PAM (Pluggable Authentication Modules) directly.
> 
> 

 

It's pretty easy to set up with sudo.  You can just add the user to /etc/sudoers

with whatever permissions that user needs.  You could use this for example:

```
user        ALL=(ALL) /bin/su,/bin/bash
```

Then you could either use sudo to give you a subshell with root privs:

```
sudo -s
```

or you could manually sudo su or bash

```
sudo /bin/su -

sudo /bin/bash

```

It's all covered in the man pages for sudo, visudo, and sudoers.

--rtn

----------

## rac

I just got a new version of /etc/pam.d/su that has commented-out sample lines for making an /etc/security/suauth.allow.  Perhaps this would be equivalent?

----------

## grafty

 *rac wrote:*   

> I just got a new version of /etc/pam.d/su that has commented-out sample lines for making an /etc/security/suauth.allow.  Perhaps this would be equivalent?

 

The suauth.allow file is a way to allow particular users to use su by enumerating them in a file.  This is similar to granting users access to su by enumerating them in the sudoers file, and its effects are identical to creating an "su-autherized" linux group.  The difference between the three of these methods is the file that dictates which users are allowed access to su.

My personal preference is to keep as much "group" information (including the "group" that has access to su) in the actual /etc/group file.

----------

