fix: apply PAM wheal only to su PAM service

usr/libexec/security-misc/pam_only_if_su

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Similar to:
+## /usr/libexec/security-misc/pam_only_if_login
+
+set -x
+
+true "PAM_SERVICE: $PAM_SERVICE"
+
+if [ "$PAM_SERVICE" = "su" ]; then
+   exit 1
+else
+   exit 0
+fi

usr/share/pam-configs/wheel-security-misc

@@ -3,4 +3,5 @@ Default: yes
 Priority: 280
 Auth-Type: Primary
 Auth:
+	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_only_if_su
 	requisite	pam_wheel.so group=sudo debug