I did some research, and if you compile the shadow package (the package that supplies su and everything for /etc/passwd and /etc/group) with pa
m, you don’t get suauth. I could hack the configure script and change that, but the developers did it for a reason.

Anywho, the solution is in PAM as many of you have already determined. The following works for me, and works as expected. I tested all exceptio
ns I could think of, but then again it is 1:00 in the morning and I might have overlooked something.

And here it is:

1. Edit /etc/pam.d/su, after
Code:
auth       sufficient   /lib/security/pam_rootok.so
add
Code:
auth       sufficient   /lib/security/pam_listfile.so item=ruser \
onerr=fail sense=allow file=/etc/security/su-nopass

2. Create a /etc/security/su-nopass file, and it put one username per line. Only put users that you want to have access to root without a pa
ssword.
3. Double check the permissions on the file, we don’t want it world writable, and world readable is a matter of personal preference.

Basically, the above says that any user in the su-nopass file is allowed to su without entering a password.

You could move the pam_wheel module before the pam_listfile line to require the user to belong to the wheel group. Again, this is personal pref
ernce based on security needs.

Hope it works, tell me what you think. Tell me if there are any flaws.

PS: This is not my work, can’t remember where i got this

In Ubuntu:

groupadd wheel, add yourself to this group, edit /etc/pam.d/su and uncomment the appropriate line:
auth       sufficient pam_wheel.so trust