Re: man page update for 'su'

[Bob Proulx]

Dairenn Lombard wrote:
> Mind adding the fact that in order to use /bin/su must be in the 'wheel'
> group in the man pages?  Adding that into the "info" screen would also help.

We appreciate your report.  Bringing these things to the maintainers
attention helps improve the software.  But in this case you are not
correct.  GNU su does not require users to be in the wheel group.  In
fact RMS many years ago wrote a rant against the wheel group which is
now rather famous.  The essay is now very outdated and is really only
pertinent for historical perspective.  Please read the info
documentation and look for this section.

  Why GNU `su' does not support the `wheel' group
  ===============================================

What version of su are you using?  Many free software distributions
replace the GNU su with a different one.  What does this say?  I
suspect that you are not actually using GNU su.

  su --version

However I assume (I did not look) that the GNU su program does use PAM
(plugable authentication modules) on any system that supports it.
Therefore if your system supports PAM it is likely that GNU su is
using it.  In which case it is possible on your particular system to
configure PAM to require a user to be in a wheel group.  It is just as
likely that you have a system configured to use an electronic active
card.  Or a system that uses one time passords.  Or a system that uses
kerberos.  The possibilities are endless.  It is impossible for su to
know about these configurations.

Check your /etc/pam.d/* for references to the wheel group.  On my
Debian GNU/Linux system there is a file /etc/pam.d/su which is part of
the login package.  It contains a template which may be uncommented to
use pam_wheel.so which is a file from the libpam-modules package.  It
is not enabled by default.  Check your system for something similar.
Read the documentation on those files for your system, delete those
lines from the file and your system will no longer be so restricted.

Bob