-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 10 Jan 2001, Jason R Thorpe wrote:

>On Wed, Jan 10, 2001 at 05:03:02PM -0500, Bill Sommerfeld wrote:
>
> > at the very least, the default is incorrect.
>
>My fault -- he discussed it with me, and I said "OK".

Just to be clear, because I was quick to jump, here are my two main
objections to this change:

    a.) it changes the semantics of which users may su to root
	without real warning

    b.) it overloads the meaning of entries in /etc/group -- with
	this change su treats names listed for a group as either
	user names or group names, which is both inconsistent
	with all other programs which read this file and also
	very dangerous, as user names can come and go, and this
	makes it far too easy to accidentally add users to wheel.

The first problem could be addressed with an announcement to (at least)
current-users.  The second is far more serious, and I feel is grounds to
seek some other way to get the desired capability.

One possibility which springs immediately to mind is an su.conf file
which could specify one or more values of SUGROUP and/or ROOTAUTH (in
addition to or instead of wheel and/or rootauth).  This would have other
benefits, too, by allowing su to be used for many of the simpler uses of
sudo...

I really don't like the idea of overloading /etc/group.

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6XOgH2JhG4/qi8rQRAit7AJ4q7ycrq4U7Sz7h3g6Kqko23GfTJQCgg8hx
qqB4rMttLTwcG3Ko+LEjVnk=
=/jsL
-----END PGP SIGNATURE-----