1. Ensure that the group wheel exists, and that the usernames of all administrators who should be allowed
to execute commands as root are members of that group.
# grep ^wheel /etc/group
2. Edit the file /etc/pam.d/su. Add, uncomment, or correct the line:
auth required pam_wheel.so use_uid
The su command allows a user to gain the privileges of another user by entering the password for that user’s account. It is desirable to restrict the root user so that only known administrators are ever allowed to access the root account.
This restricts password-guessing against the root account by unauthorized users or by accounts which have been compromised.
By convention, the group wheel contains all users who are allowed to run privileged commands.The PAM module pam wheel.so is used to restrict root access to this set of users.