Debian Jessie – su, sudo and Wheel Group

Allow Users to su With the Wheel Group or sudo

Users in Jessie are not allowed to su by default and the Wheel group (whose members are allowed to su) is not created by default. Should this be a requirement, follow the steps here to set it up:

Restrict ‘su’ execution

Login as root and uncomment the line below in /etc/pam.d/su, by removing the leading ‘#’.

#auth       required pam_wheel.so

This means that no user can execute su anymore and is the most secure configuration.

Create the Wheel Group

Create the group wheel with root privileges:

# groupadd wheel

Add User to Wheel Group

# usermod -aG wheel <user>

<user> can now execute su.

Optionally (and Insecurely) Trust Users in Wheel

This will put users in the wheel group directly into root without prompting for a password. Edit the /etc/pam.d/su file again and uncomment the following line:

#auth       sufficient pam_wheel.so trust

Linux: Broken sudoers file in Ubuntu

I’ve done this twice now, sometimes lessons need repeating. If you are going to edit /etc/sudoers in Ubuntu then set a root password or you risk locking yourself out.

If you edit the sudoers file and the syntax is incorrect then the system can no longer read the sudoers file. Now you can’t fix the file because

sudo vi /etc/sudoers

returns an error.

You need to reboot, holding shift before the grub menu, and choose recovery mode. Now go to the command line as root, mount the filesystem as read/write and give yourself permission to edit the sudoers file:

mount -n -o remount,rw /
chmod u+x /etc/sudoers

Now:

vi /etc/sudoers

and fix that mistake.

Really though .. if you had set a secure root password you could have avoided the pain with

su -