vi /etc/pam.d/su
在 /etc/pam.d/su 中, 与wheel有关的有两句 , 默认是加注释的,
此时所有用户能su到root, 要密码
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid //这句
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid //和这句
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
启用这条👇使得wheel成员su到root不用输密码
auth sufficient pam_wheel.so trust use_uid
启用这条👇使得非wheel成员无法切换到root
auth required pam_wheel.so use_uid