Enabling su/sudo Access with Wheel Group

30 minutes
  • 5 Learning Objectives

About this Hands-on Lab

System Administrators rarely log into a system as `root`, due to a number of security risks. Some distributions even disable the `root` account to begin with. Restricting the ability to use `root` privileges to selected users is an important part of maintaining a secure system. In this activity, you will learn how to secure the `su` and `sudo` commands by restricting their use to members of the `wheel` group.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Confirm Your User Is in the wheel Group and Set the /usr/bin/sudo and /usr/bin/su Files so They Can Be Executed by the root User and wheel Group

Use the id and groups commands to confirm your wheelgroup membership:


Use sudo to become the root user:

sudo -i

Run chgrp to set the wheel group as the owner of /usr/bin/sudo and /usr/bin/su:

chgrp wheel /usr/bin/sudo /usr/bin/su

Use chmod to set the most secure permissions, and allow the root user and wheel group to execute sudo and su:

chmod 4110 /usr/bin/sudo /usr/bin/su

Run ls -l on either of those to confirm.

Use visudo to Confirm, Create, or Uncomment Entry Allowing wheel Group to Use sudo

To modify or verify /etc/sudoers allows the wheel group to use sudo, use the visudo command:


We need a line that looks like this:

%wheel  ALL=(ALL)       ALL

It may already be there, or it may be there and commented out. It’s usually down in the vicinity of the root line. Save changes to the file and exit. Use grep to verify the line is there.

grep wheel /etc/sudoers
Uncomment or Create a Line in /etc/pam.d/su to Require wheel Group Membership for Using the su Command

Using the editor of your choice, uncomment or create an additional "auth" test below the line ending with pam_rootok.so. The line should look like this:

auth            required        pam_wheel.so use_uid
Create a sysadmin User, Make Them a Member of the wheel Group, Set Their Password, and Verify sysadmin Is Able to Use sudo and su

Create the sysadmin user and make them a member of the wheel group:

useradd -G wheel sysadmin

Running it this way would work too:

useradd sysadmin
usermod -aG wheel sysadmin

Now we can set the sysadmin user password:

passwd sysadmin

Verify sysadmin can execute su and sudo:

su - sysadmin
sudo tail -n1 /etc/shadow
su -l cloud_user
Create a User, sysuser, Who Is Not a Member of the wheel Group, Set Their Password, and Verify That They Are Not Able to Use sudo and su

Create the sysuser user and do not make them a member of the wheel group:

useradd sysuser

Set the sysuser user password.

passwd sysuser

Verify sysuser cannot execute su and sudo:

su --login sysuser
sudo tail -n1 /etc/shadow
su -l cloud_user

The sudo and following su commands should have both failed.

Additional Resources

In order to make a system more secure, we have been asked to restrict access to the su and sudo commands. Only members of the wheel group should be allowed to run those commands.

We'll need to create /etc/sudoers.d/wheel.grp, which will allow wheel group members to use the sudo command.

In addition, only members of the wheel group should be allowed to use the su (switch user) command. Fixing this is a two-step process.

First, we'll need to set the permissions on /usr/bin/su so that only members of the wheel group can execute it.

Next, we have to modify /etc/pam.d/su (the Pluggable Authentication Module file) and require the user to be a member of the wheel group there as well.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?