-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Out of curiosity:  might it be more valuable in the long run to
implement a sort of an `su.conf' in /etc which could contain expansions
for SU_GROUP and ROOT_AUTH?  Combined with more su configurability for
logging, this would make su a good replacement for sudo for many
users...

OTOH, there's a strong argument to keep something as security-critical
as su as bone simple as is possible...

Thoughts?

On Fri, 19 Jan 2001, Alan Barrett wrote:

>On Fri, 19 Jan 2001, Simon J. Gerraty wrote:
>> > But perhaps that's too expensive, in which case the documentation
>> > should warn people not to expect it to work.
>>
>> Not to expect what to work?
>
>If you have the SU_INDIRECT_GROUPS feature turned on, and you add
>something that you think is a user name to the wheel group, then su
>will sometimes treat it as a group name rather than as a user name.
>This will have undesirable results if the same spelling is used for
>both a user name and a group name, and if the group contains members
>other than the user with the same spelling.
>
>> Anyway, I think its worth adding a warning to carefully consider
>> the content of the group database(s) before enabling the feature.
>
>Yes, indeed. I think that the warning should suggest a safe way to use
>the feature, and should describe the implementation in enough detail
>that people will be able to reason about the effects of doing
>something other than the safe suggestion.
>
>--apb (Alan Barrett)
>

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6af6q2JhG4/qi8rQRAqKDAJ4/PQb++OlLXWH5BSV6q8pnFSPrWQCfdBOk
TZRH7xFY72+OxfwQ0n1tYUo=
=Obmg
-----END PGP SIGNATURE-----