Hello.
I have a RHEL 7.2 where a regular user can't make a "su -" to reach root account:
server532:t711740:/$ id
uid=75456(t711740) gid=10000(personales) groups=10000(personales),10(wheel)
tehrh532:t711740:/$ su -
Password:
su: Permission denied
But can make "sudo su -"
server532:t711740:/$ sudo su -
[sudo] password for t711740:
server532:root:/root# id
uid=0(root) gid=0(root) groups=0(root),70000(emergencia)
What could be the problem? Any idea?
server532:root:/root# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
server532:root:/root# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
tty0
tty1
tty2
tty3
tty4
tty5
tty6
server532:root:/root# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so group=wheel root_only use_uid
auth include system-auth-su
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session include system-auth
session optional pam_xauth.so
server532:root:/root# ls -l /bin/su
-rwsr-xr-x. 1 root root 32072 Aug 21 2015 /bin/su