Wheel Group and Fedora (Red Hat) Linux

My post on the importance and methods of wheel groups remains popular. I though I would go into various UNIX variants and detail specifically how to activate wheel groups.

Today, the discussion is around Red Hat Linux (speaking generally). The test system was running Fedora Core 5; however, this area of Red Hat has not changed in quite some time, so it is likely to be the same in Fedora 7 and so forth.

First, make sure there is a wheel group in the /etc/group file. On Fedora Core 5, there is:


If this line does not exist, add it.

Of course, you must put users that you want to be admins into the wheel group. To do this, add the user to the end of the wheel group line. This will make the wheel group a secondary group; I don’t know if that will make a difference today, but it might somewhere.

Second, change into the /etc/pam.d directory, and edit the file su. This file controls the access to the program su and modifies its behaviors during the authentication process. The change will modify the access so that only those in the wheel group have access to the program su.

Find these lines in /etc/pam.d/su:

# Uncomment the following line to require a user to be in the “wheel” group.
#auth required pam_wheel.so use_uid

And change them (as suggested) to this:

# Uncomment the following line to require a user to be in the “wheel” group.
auth required pam_wheel.so use_uid

This access change is not necessarily limited to the su command, but no other command has normally been included in the past. If there are other commands that only those in the wheel group should be able to access, then this line could be put into their PAM configuration (in the right place).

Note that editing PAM files could very easily lock you out of your machine completely; thus do not take editing PAM files (in /etc/pam.d) lightly. The Red Hat authored wheel group modification is simple and easy; other changes you make may not be.

Then, expand the permissions in sudo to account for those with wheel permissions. Edit the configuration file with visudo and change these lines:

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

To this (as recommended):

# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL

This will allow anyone in the wheel group to execute commands using sudo (rather than having to add each person one by one). It would also allow anyone this sort of access on any machine that they have wheel group membership.

3 thoughts on “Wheel Group and Fedora (Red Hat) Linux”

  1. Today I am running Fedora 11 and am wondering if the above method you give here is still a good way to do things as opposed to simply doing the following:

    su –
    echo ‘ ALL=(ALL) ALL’ >> /etc/sudoers

  2. Still works. I’m running CentOS 5 now. If you look at the sudoers file – with visudo – you’ll find a line for the wheel group. Uncomment it and voila.

    If you want to, you can then also go into /etc/pam.d and edit the su file, activating the proper line for restricting su access to the wheel group.

  3. You don’t have to use the “wheel” group. You can use any group you want by adding “group=” in the line in /etc/pam.d/su. Assuming your admins are all part of the “admin_group”, this would be the syntax:
    auth required pam_wheel.so use_uid group=admin_group
    Also, if you have users who need to su to other non-root users, but you don’t want them to be able to su to root at all, you can accomplish this by adding the “root_only” argument in the the same file above.
    auth required pam_wheel.so use_uid group=admin_group root_only
    We have generic users for applications that others need to use but we don’t want them to even be able to access root even if they wanted to. We have been using the config with both “group=” and “root_only” for quite some time now. I’ve successfully tested this in both SuSE and RedHat.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: