It appears to be Unix tradition that a wheel group is created automatically, but Debian (and children, naturally) doesn't do so. Is there a rationale somewhere? Where else have you seen this tradition discarded?
2 Answers
Some unix systems allow only members of the wheel
group to use su
. Others allow anyone to use su
if they know the password of the target user. There are even systems where being in the wheel
group grants passwordless root access; Ubuntu does this, except that the group is called sudo
(and doesn't have id 0).
I think wheel
is mostly a BSD thing. Linux is a mix of BSD and System V, and the various distributions have different default policies with respect to granting root access. Debian happens not to implement a wheel group by default; if you want to enable it, uncomment the auth required pam_wheel.so
line in /etc/pam.d/su
.

- 829,060
Because wheel is a tool of oppression! From info su
:
Why GNU 'su' does not support the 'wheel' group
(This section is by Richard Stallman.)
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual `su' mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.
I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.
See also the Debian Reference. Anyways, the sudo
group is built in so who needs wheel
?

- 1,533
-
16I don't know the history, but I doubt this quote is the real reason why Debian doesn't implement the
wheel
group by default. (Debian'ssu
does support thewheel
group, it's just not enabled by default.) Anyway rms's reasoning might apply to MIT in the 1980s, but it doesn't apply to most places where not all users can be trusted and ubiquitous Internet accessibility means security needs to protect against attackers from all over the world. – Gilles 'SO- stop being evil' Dec 01 '10 at 08:31 -
1
-
1For what it’s worth, this is pretty bad reasoning for this feature. Nowadays almost all devices have internet access, making them vulnerable to completely known third parties, and there any extra restriction caused by this kind of group would make sense. – Smar Sep 20 '21 at 12:02
wheel:x:0:root
and modify the /etc/pam.d/su file asauth required pam_wheel.so group=wheel
, (removing the comment before). – elika kohen Oct 29 '15 at 20:53wheel
group to make use of thesudo
group in its place forpam
purposes. Just addgroup=sudo
following the statement. e.g. to allow members of thesudo
group tosu
without a password, simply uncomment/modify the line in/etc/pam.d/su
as follows:auth sufficient pam_wheel.so trust group=sudo
– David C. Rankin Jan 11 '17 at 05:03sudoers
is the way to control this now (September 2017). – SDsolar Sep 11 '17 at 08:07/etc/sudoers
has always been the way to control root access. But since the defaultsudoers
allows anybody in thesudo
group to become root, you can control root access by managing the list of users who are in thesudo
group. – Gilles 'SO- stop being evil' Sep 11 '17 at 08:45