[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU su and the wheel group

From: Martin Guy
Subject: Re: GNU su and the wheel group
Date: 5 Oct 2004 08:00:35 -0700

David Kastrup <> wrote in message 
> <> writes:
> > Sam Holden <> wrote:
> >> On Mon, 04 Oct 2004 23:25:49 -0400, Paul Jarc <> wrote:
> >>><> wrote:
> >>>> [root]# ls -l /bin/su
> >>>> -rwsr-x---    1 root     wheel       94625 Oct 12  2003 /bin/su
> >>>>
> >>>> Now only members of the wheel group can run su... how exciting!
> >>>
> >>> And I would say that this itself makes a better argument against
> >>> having code in su to check for the wheel group.

Well, you may be able to please everybody by configuring su's
behaviour in /etc/suauth to stop non-wheel users from even *trying* to
become root:


(assuming you have a version of su that uses /etc/suauth - GNU su
System V su seems not to)

> >> What about the poor souls who want to su from one user account to
> >> another?
> >
> > How realistic is this?
> Very realistic.  It is very common that one user asks another "I am
> having this and that problem, it does not work here" and then the
> other user comes over, uses su in an xterm to get into his own
> account, picks the necessary information, does a copy&paste job or
> whatever else, and logs out again.

In general, su-ing from an insecure account to a secure one is a no-no
since the insecure account can have its own program called "su" in
$HOME/bin which turns character echo off, prints "Password: ", reads
mails the password and then says "Sorry."   Of course this may not be
an issue in your specific context.
Su-ing from secure to insecure accounts instead does not have this


reply via email to

[Prev in Thread] Current Thread [Next in Thread]