Re: GNU su and the wheel group

[Alan Schwartz]

Tristan Miller  <psychonaut@nothingisreal.com> writes:
>Greetings.
>
>Apparently there are some versions of su which will refuse to run unless
>the user is a member of the `wheel' group.  GNU su refuses to implement
>this check, because, as per a note from Richard Stallman in the info page, 
>
>> Under the usual `su' mechanism, once someone learns the root password who
>> sympathizes with the ordinary users, he or she can tell the rest.  The
>> "wheel group" feature would make this impossible, and thus cement the
>> power of the rulers.
>
>I don't really understand this argument, for the following reasons:
>
>1) If someone has the root password, can't they just log in as root from a
>regular terminal or via ssh?  Or is it typical for Un*x systems to be
>configured such that the root account can be accessed only via su?

Often root logins are restricted so su is required, yes.

>2) Even if su is the only way of logging in as root, why couldn't a
>"sympathizer" simply add all users to the wheel group in addition to
>telling others the root password?

That's a good point, although obviously much more noticeable.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                       Alan Schwartz <alansz@uic.edu>
Author/Co-author of: "Managing Mailing Lists", "SpamAssassin", 
"Stopping Spam", and  "Practical Unix & Internet Security, 3rd Ed"
           Published by O'Reilly Media, Inc. (http://www.oreilly.com)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-