video on demandcat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1
auth [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access
auth [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2
auth requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
more /etc/security/su-group2-access
one
tail /etc/group
group1:x:511:one