In the man page for pam_wheel, the root_only option is documented as meaning simply, “The check for wheel membership is done only.”. What does this mean? It makes no sense at all. What the option actually does is it only checks for wheel membership *if the request is to become root*, but not when trying to become any other user. Counterintuitively, the DESCRIPTION section states that that’s what the module always does (“By default it permits root access to the system if the applicant user is a member of the wheel group.”); in reality, by default, pam_wheel denies all access (not just root access) unless the applicant is a member of wheel. It looks as if some text might be missing (maybe it’s supposed to say “The check for wheel membership is done only *if authenticating to the root user*.” or something similar), but the DESCRIPTION section is still incorrect in that case. Reproducible: Always
this is really an upstream issue -> https://github.com/linux-pam/linux-pam/issues Please report there that man page needs to be updated to get it solved for future versions (for the case 1.3.0-r2 still has this issue)
Upstream already appears to have fixed the missing root_only text in commit c9c2f0b5a4209b266040a2d4384a65e901443394, April 19, 2016. I suppose that will show up in a future release, and eventually make its way into Gentoo. The remaining part is now in PR form against the linux-pam repo.
