How are you testing things? Are you logging in as joeuser directly, or are you logging in as root (or another user) and then su-ing to the joeuser account?
I was trying to reproduce the behavior you've described in a SLES container, and I successfully (?) ran into the same problem:
testuser@714eeb148216:~> su Password:
I turned on debug output for the pam_wheel module...
auth sufficient pam_wheel.so trust debug
...and noticed I was hitting this error:
pam_wheel(su:auth): who is running me ?!
And that's because in my container environment I was missing the utmp file (/run/utmp, aka /var/run/utmp). This is used by pam_wheel to identify the user who originally logged in on the current tty. The file is populated by the login program, and it must exist first.
Once I (a) created an empty /run/utmp file and then (b) arranged for login to run on a fake pty device, I was able to log in as a test user and su without a password:
testuser@714eeb148216:~> su 714eeb148216:/home/testuser #
Running su - would still fail until I also updated /etc/pam.d/su-l.
However: if I logged in as root, and then switched to an unprivileged user:
714eeb148216 login: root Password: Directory: /root Tue Dec 17 11:43:14 UTC 2024 714eeb148216:~ # groups root 714eeb148216:~ # su - testuser
I will again get prompted for a password:
testuser@714eeb148216:~> su Password:
Because:
pam_wheel(su:auth): Access denied to 'root' for 'root'
pam_wheel sees that root was the user that originally logged in on the terminal, so even though I am running su as the testuser user, pam_wheel is basing decisions on the group membership of root.
You can modify this behavior so that pam_wheel does not consult /run/utmp (and instead uses the uid of the calling process to determine permissions) with the use_uid option; if I modify /etc/pam.d/su like this:
auth sufficient pam_wheel.so trust use_uid debug
Then the above process works as expected.
wheelgroup grants you access tosu, but you still have to know the password of the user you are impersonating. I haven't really seensubeing set up to grant passwordless access to another user's account (from non-root users). I would usedoasorsudofor that.joeuser, you cansuwithout further authenticating. Also, clarified that I don't mean becoming another non-root user, just plainsuto be root (although impersonation also works without authentication, and you don't have to know their password).wheelgroup you have? (I'd expect it to have a lower GID...) Do you know for sure that yoursuimplementation actually uses PAM? If it does, did you update bothpam.d/suandpam.d/su-lfor the two different su invocations?