What is the purpose of group "wheel" on FreeBSD (FreeNAS) OS?

Jim DeLaHunt asked:

I am setting up a new server based on FreeNAS, a FreeBSD-based operating system. The system has a group, wheel. I have a vague idea that sysadmins should be added to group wheel, and that the group confers ability to use su (superuser). However, I can’t find this written down anywhere.

What is the purpose of group wheel? Under what circumstances I should add my users to it? If you can point me to a FreeBSD sysadmin handbook which explains this, great. Otherwise ServerFault becomes that handbook.

My answer:

It’s right in the su(1) man page.

     PAM is used to set the policy su(1) will use.  In particular, by default
     only users in the "wheel" group can switch to UID 0 ("root").  This group
     requirement may be changed by modifying the "pam_group" section of
     /etc/pam.d/su.  See pam_group(8) for details on how to modify this set-

A very ancient version of the man page said:

     Only users who are a member of group 0 (normally "wheel") can su to
     "root".   If group 0 is missing or empty, any user can su to "root".

This allows you to control which users can su. It is not likely that you want every single user of your system to be able to su.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.