The current ebuilds for shadow apply a pacth (shadow-4.0.5-login.defs.patch) that sets the default value for SU_WHEEL_ONLY to yes. This applies to non-PAM systems, and was intended to match the behaviour of PAM systems, where pam_wheel is enabled by default (that's explained in the handbook, too). However, the result is not the same: the implementation of SU_WHEEL_ONLY in shadow is such that only users in the group with gid=0 can su to root, and not users belonging to the wheel group. I think we should apply the following patch, which changes the behaviour of SU_WHEEL_ONLY to match PAM (and to be consistent with its name). Maybe this should be also submitted upstream?
Created attachment 50134 [details, diff] shadow-4.0.7-wheel.patch
added 4.0.7 w/patch & e-mailed patch upstream, thanks
*** Bug 81175 has been marked as a duplicate of this bug. ***
Rather than patching su, how about installing a file /etc/suauth containing the line: root:ALL EXCEPT GROUP wheel:DENY and leaving SU_WHEEL_ONLY as no? See man suauth for details on what this does.
