The root system account is used for a great deal more than just administrative tasks. Many parts of the actual Linux operating system run under root credentials. Many distributions disable the actual root account for users and instead allow administrative functions based on membership in the wheel group.
Members of the wheel group exercise the administrative privileges of root with less potential for damaging the system. For example, members of the wheel group can use the sudo command to avoid having to sign in as the root user. You can use the visudo command to edit the privileges of the wheel group, if necessary. You can add users to the wheel group to give them privileges. Be very cautious about the membership of the wheel group.
Which rpm provides the wheel group?
The wheel group is part of the /etc/group file that is shipped in the setup rpm. Nothing on the system appears to use the group, at least by default, so it should be safe to remove the wheel group entry if desired.
How to deny members of wheel-group to change root password
We can edit /etc/sudoers file and add ‘!/usr/bin/passwd root’ to the wheel part of the line.
1. Edit /etc/sudoers in visudo.
# visudo -f /etc/sudoers
Change from:
%wheel ALL=(ALL) ALL, !/usr/bin/passwd root
2.. Restart sshd service
# systemctl restart sshd
3. SSH with user ( which is added to wheel group) and try to reset the root password, you will get error as below:
$ sudo passwd root Sorry, user geek is not allowed to execute '/bin/passwd root' as root on lab.system01