| View previous topic :: View next topic |
| Author |
Message |
penguinland
n00b
Joined: 26 Sep 2004
Posts: 50
Location: California
|
 Posted: Sat Jan 22, 2005 10:54 am Post subject: Why have a wheel group? |
 |
|
A friend and I were talking today, he asked me why Gentoo has a wheel group. Why not let anyone at all use su, if they have the password? I replied that there are only some people who have any business becoming the super user, and the wheel group was a way to keep other people from messing around, even if they somehow got the root password. He replied that, if they got the password, they could just log in as root and circumvent the whole thing.
So, does anyone know the real reason? Why does the wheel group exist at all? What benefit does it give us?
_________________
Flying is the art of throwing yourself at the ground and missing.
- Douglas Adams |
|
| Back to top |
|
 |
Gherald
Veteran
Joined: 23 Aug 2004
Posts: 1399
Location: CLUAConsole
|
| Posted: Sat Jan 22, 2005 12:16 pm Post subject: |
|
|
| Quote: | | He replied that, if they got the password, they could just log in as root and circumvent the whole thing. |
Not so if you disable direct root logins! This is a very good security procedure, particularly ssh root logins.
But what I find most handy for non-critical machines is in the file /etc/pam.d/su
| Code: | # Uncomment this to allow users in the wheel group to su without
# entering a passwd.
auth sufficient /lib/security/pam_wheel.so use_uid trust |
That or a similarly configured sudo combined with some .bashrc magic:
| Code: | if [ -e /usr/bin/sudo ]; then
alias sudo=/usr/bin/sudo
else
alias sudo="su -c"
fi
function root { #repeat last command with root privs
PREVCMD=$(history 2 | head -n 1 | awk '{ $1 = ""; sub(/^ */, ""); print; exit }')
sudo "$PREVCMD"
} |
...takes a lot of the redundancy out of using a desktop system, while still providing security against unintentional or accidental use of root privs.
Last edited by Gherald on Sat Jan 22, 2005 12:26 pm; edited 1 time in total |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Sat Jan 22, 2005 12:25 pm Post subject: |
|
|
also it is a good indication of when someone new tries Gentoo whether they have read the install manual 
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
scithe
n00b
Joined: 12 Jan 2005
Posts: 34
|
| Posted: Sat Jan 22, 2005 12:38 pm Post subject: |
|
|
In some services it is possible to disable logging in as root (gdm for example). Then users become really llimited to their UID. Of course just if you don't open any other doors, like sshd or ftpd...
Also su can enable users to bruteforce more easy. |
|
| Back to top |
|
|
numerodix
l33t
Joined: 18 Jul 2002
Posts: 743
Location: nl.eu
|
| Posted: Sat Jan 22, 2005 12:55 pm Post subject: |
|
|
Here's what I always wondered about.. why is it called wheel? At first I thought it had something to do with the mouse wheel in X... (I was new to it all, gimme a break  )
Does wheel mean something or is it an arbitrary name?
_________________
undvd - ripping dvds should be as simple as unzip |
|
| Back to top |
|
|
Gherald
Veteran
Joined: 23 Aug 2004
Posts: 1399
Location: CLUAConsole
|
| Posted: Sat Jan 22, 2005 1:11 pm Post subject: |
|
|
I believe FreeBSD and Solaris have a wheel group as well, so it's probably a historical convention from old Unix...
EDIT: ESR's Jargon File to the rescue, as usual:
| Quote: | | wheel n. [from slang `big wheel' for a powerful person] A person who has an active wheel bit. "We need to find a wheel to unwedge the hung tape drives." (See wedged, sense 1.) The traditional name of security group zero in BSD (to which the major system-internal users like root belong) is `wheel'. Some vendors have expanded on this usage, modifying Unix so that only members of group `wheel' can go root. |
|
|
| Back to top |
|
|
|
Other Things Gentoo
