I don't understand. In BSD if I want to run su -, I have to add myself to wheel group.
Is this not true in Linux?
[test@centos ~]$ uname -a
Linux centos 4.18.0-193.19.1.el8_2.x86_64 ...
[test@centos ~]$ cat /etc/group | grep wheel
wheel:x:10:
[test@centos ~]$ cat /etc/group | grep test
test:x:1001:
[test@centos ~]$ su -
Password:
Last login: Wed Oct 14 ...
[root@centos ~]# whoami
root
It depends on the Linux distribution, but in CentOS, there's no special relationship between su and wheel out of the box:
% docker run --rm -it centos:8
[root@58212abdad65 /]# grep wheel /etc/pam.d/ -r
/etc/pam.d/su:# Uncomment the following line to implicitly trust users in the "wheel" group.
/etc/pam.d/su:#auth sufficient pam_wheel.so trust use_uid
/etc/pam.d/su:# Uncomment the following line to require a user to be in the "wheel" group.
/etc/pam.d/su:#auth required pam_wheel.so use_uid
As you can see, you can configure it to behave like the BSD you use.
In some other distros, the first option might be enabled (allowing wheel users to su without needing a password), but I don't remember which ones.
When invoked as aforementioned, the su command will ask for a root/superuser password; group membership is irrelevant, as long as you know the password. Now, if you were using sudo su, you could assign group(s) superuser rights; wheel and sudo are (2) groups most often used out-of-the-box, especially on single-user systems.
