[rvnx]

There are little (to no?) situations where su has a good reason to check wheel.

You either have the password, or you don't have it. But not something in-between.

Outside of any ideology, in a scenario where you use su to become root, it's a very odd choice to link the wheel group to su; because if you know the password to the "root" user, and you have physical or remote access to the computer, you can likely just login as root.

And if you can't, then it means you actually needed sudo su, not su.

Those who actually need to be root, usually use sudo instead of su.

In the other cases, if you just need to switch user, then no point at all to refer to wheel

[klodolph]

You can disable direct root login and force users to login as their own account first. This way, any root login is tracked—you know who logged in as root, because they had to log in as their own account in order to run su.

[rvnx]

In such case: sudo su, then.

and let sudo verify that the user belongs to the group of allowed sudoers.

No need for the password to the root account.

[rollcat]

Objection: su is a very simple program that does (approximately) one thing. Meanwhile the sudoers(5) man page starts with an introduction to EBNF grammars.

I strongly prefer doas wherever it's available.

[tedunangst]

What a bizarre anachronistic rant.

[rcxdude]

sudo does completely obselete su, yes. (sudo su is redundant, you can just sudo -su)

[tux2bsd]

incorrect, they serve different purposes. If sudo isn't installed then you don't require security updates for sudo...

If you do have sudo you can be very restrictive on who can run what.