目的：限制非wheel用户切换至root

方法：vi /etc/pam.d/su文件，增加如下两行

auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so group=wheel

结果：加入wheel的用户，无法切换至root，提示密码错误

解决：修改auth required  /lib/security/pam_wheel.so group=wheel

为auth required  /lib/security/$ISA/pam_wheel.so group=wheel

分析：$ISA变量是pam的内置变量，自动识别系统的平台架构。(原文:The $ISA token is a PAM builtin that automatically looks for modules of the correct architecture, such as 32-bit or 64-bit).

系统环境：

bash-4.3# uname -ipmo
x86_64 x86_64 x86_64 GNU/Linux

-m, --machine
print the machine hardware name
-p, --processor
print the processor type or "unknown"
-i, --hardware-platform
print the hardware platform or "unknown"
-o, --operating-system
print the operating system