Subject: Re: su(1) group wheel restriction
To: Chad Mynhier <>
From: Greg Hudson <ghudson@MIT.EDU>
List: tech-userlevel
Date: 01/09/1997 10:30:34
> What is the difference between adding a user to /etc/su.conf and
> adding the user to the wheel group?  It seems that the only real
> difference between the two is the ability to put '*' in
> /etc/su.conf.

Precisely.  The only reason to retain the meaning of group wheel at
all, in this scheme, would be for backward compatibility.

> This may be a naive question, but is the root password known by so
> many people at your site that it's easier to let anyone su than to
> add specific people to the wheel group?

There are a bunch, but it's more a combination of:

	* No other operating system we use has the restriction; that
	  is, we are used to restricting root access based on "what
	  you know" rather than by both "what you know" and "who you

	* There are other, more laborious ways for these people to get
	  root access to the machines in question.

	* The multi-user security of a given workstation is less
	  important in our environment, so the tradeoff favors the
	  "weaker security" of disabling the group wheel restriction.