[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU su and the wheel group
From: |
Alan Schwartz |
Subject: |
Re: GNU su and the wheel group |
Date: |
Mon, 27 Sep 2004 19:44:24 +0000 (UTC) |
Tristan Miller <psychonaut@nothingisreal.com> writes:
>Greetings.
>
>Apparently there are some versions of su which will refuse to run unless
>the user is a member of the `wheel' group. GNU su refuses to implement
>this check, because, as per a note from Richard Stallman in the info page,
>
>> Under the usual `su' mechanism, once someone learns the root password who
>> sympathizes with the ordinary users, he or she can tell the rest. The
>> "wheel group" feature would make this impossible, and thus cement the
>> power of the rulers.
>
>I don't really understand this argument, for the following reasons:
>
>1) If someone has the root password, can't they just log in as root from a
>regular terminal or via ssh? Or is it typical for Un*x systems to be
>configured such that the root account can be accessed only via su?
Often root logins are restricted so su is required, yes.
>2) Even if su is the only way of logging in as root, why couldn't a
>"sympathizer" simply add all users to the wheel group in addition to
>telling others the root password?
That's a good point, although obviously much more noticeable.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Alan Schwartz <alansz@uic.edu>
Author/Co-author of: "Managing Mailing Lists", "SpamAssassin",
"Stopping Spam", and "Practical Unix & Internet Security, 3rd Ed"
Published by O'Reilly Media, Inc. (http://www.oreilly.com)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-