How to allow access to su to root on FreeBSD

How to allow access to su to root on FreeBSD
su -- substitute user identity. The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.

If you are Administrator of a FreeBSD system and you want to allow a user access su to root, use pw modgroup wheel -M user where "user" is the user to which you wish to allow this.

SU(1) FreeBSD General Commands Manual SU(1)

NAME
su -- substitute user identity

SYNOPSIS
su [-] [-flms] [-c class] [login [args]]

DESCRIPTION
The su utility requests appropriate user credentials via PAM and switches
to that user ID (the default user is the superuser). A shell is then
executed.

PAM is used to set the policy su(1) will use. In particular, by default
only users in the ``wheel'' group can switch to UID 0 (``root''). This
group requirement may be changed by modifying the ``pam_group'' section
of /etc/pam.d/su. See pam_group(8) for details on how to modify this
setting.

By default, the environment is unmodified with the exception of USER,
HOME, and SHELL. HOME and SHELL are set to the target login's default
values. USER is set to the target login, unless the target login has a
user ID of 0, in which case it is unmodified. The invoked shell is the
one belonging to the target login. This is the traditional behavior of
su. Resource limits and session priority applicable to the original
user's login class (see login.conf(5)) are also normally retained unless
the target login has a user ID of 0.

The options are as follows:

-f If the invoked shell is csh(1), this option prevents it from
reading the ``.cshrc'' file.

-l Simulate a full login. The environment is discarded except for
HOME, SHELL, PATH, TERM, and USER. HOME and SHELL are modified
as above. USER is set to the target login. PATH is set to
``/bin:/usr/bin''. TERM is imported from your current environ-
ment. Environment variables may be set or overridden from the
login class capabilities database according to the class of the
target login. The invoked shell is the target login's, and su
will change directory to the target login's home directory.
Resource limits and session priority are modified to that for the
target account's login class.

- (no letter) The same as -l.

-m Leave the environment unmodified. The invoked shell is your
login shell, and no directory changes are made. As a security
precaution, if the target user's shell is a non-standard shell
(as defined by getusershell(3)) and the caller's real uid is non-
zero, su will fail.

To change the characteristics of a user or group in FreeBSD you can use pw(8).

PW(8) FreeBSD System Manager's Manual PW(8)

NAME
pw -- create, remove, modify & display system users and groups

SYNOPSIS
pw [-V etcdir] useradd [name|uid] [-C config] [-q] [-n name] [-u uid]
[-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
[-m] [-k dir] [-w method] [-s shell] [-o] [-L class] [-h fd | -H fd]
[-N] [-P] [-Y]
pw [-V etcdir] useradd [name|uid] -D [-C config] [-q] [-b dir] [-e days]
[-p days] [-g group] [-G grouplist] [-k dir] [-u min,max] [-i min,max]
[-w method] [-s shell] [-y path]
pw [-V etcdir] userdel [name|uid] [-n name] [-u uid] [-r] [-Y]
pw [-V etcdir] usermod [name|uid] [-C config] [-q] [-n name] [-u uid]
[-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
[-l name] [-m] [-k dir] [-w method] [-s shell] [-L class]
[-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] usershow [name|uid] [-n name] [-u uid] [-F] [-P] [-7] [-a]
pw [-V etcdir] usernext [-C config] [-q]
pw [-V etcdir] groupadd [group|gid] [-C config] [-q] [-n group] [-g gid]
[-M members] [-o] [-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] groupdel [group|gid] [-n name] [-g gid] [-Y]
pw [-V etcdir] groupmod [group|gid] [-C config] [-q] [-n name] [-g gid]
[-l name] [-M members] [-m newmembers] [-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] groupshow [group|gid] [-n name] [-g gid] [-F] [-P] [-a]
pw [-V etcdir] groupnext [-C config] [-q]
pw [-V etcdir] lock [name|uid] [-C config] [-q]
pw [-V etcdir] unlock [name|uid] [-C config] [-q]

DESCRIPTION
The pw utility is a command-line based editor for the system user and
group files, allowing the superuser an easy to use and standardized way
of adding, modifying and removing users and groups. Note that pw only
operates on the local user and group files. NIS users and groups must be
maintained on the NIS server. The pw utility handles updating the
passwd, master.passwd, group and the secure and insecure password data-
base files, and must be run as root.

The first one or two keywords provided to pw on the command line provide
the context for the remainder of the arguments. The keywords user and
group may be combined with add, del, mod, show, or next in any order.
(For example, showuser, usershow, show user, and user show all mean the
same thing.) This flexibility is useful for interactive scripts calling
pw for user and group database manipulation. Following these keywords,
you may optionally specify the user or group name or numeric id as an
alternative to using the -n name, -u uid, -g gid options.
..................
GROUP OPTIONS
The -C and -q options (explained at the start of the previous section)
are available with the group manipulation commands. Other common options
to all group-related commands are:

-n name Specify the group name.

-g gid Specify the group numeric id.

As with the account name and id fields, you will usually
only need to supply one of these, as the group name
implies the uid and vice versa. You will only need to use
both when setting a specific group id against a new group
or when changing the uid of an existing group.

-M memberlist This option provides an alternative way to add existing
users to a new group (in groupadd) or replace an existing
membership list (in groupmod). memberlist is a comma sep-
arated list of valid and existing user names or uids.

-m newmembers Similar to -M, this option allows the addition of existing
users to a group without replacing the existing list of
members. Login names or user ids may be used, and dupli-
cate users are silently eliminated.

groupadd also has a -o option that allows allocation of an existing group
id to a new group. The default action is to reject an attempt to add a
group, and this option overrides the check for duplicate group ids.
There is rarely any need to duplicate a group id.

The groupmod command adds one additional option:

-l name This option allows changing of an existing group name to
`name'. The new name must not already exist, and any
attempt to duplicate an existing group name will be
rejected.

Options for groupshow are the same as for usershow, with the -g gid
replacing -u uid to specify the group id. The -7 option does not apply
to the groupshow command.

The command groupnext returns the next available group id on standard
output.

If you want to allow access to su to user yourname use: pw modgroup wheel -M yourname or pw modgroup wheel -m yourname , depending on what you need.

Bookmarks: Echo "How to allow access to su to root on FreeBSD" around:

-------------------advertising-----------------