Subject: Re: su(1) group wheel restriction
To: None <>
From: Mike Long <>
List: tech-userlevel
Date: 01/09/1997 11:34:39
>Date: Thu, 9 Jan 1997 09:53:14 -0500
>From: Greg Hudson <>

>It seems poor to me that the only way to configure a machine to allow
>arbitrary users to su to root is to give up having a name for group 0.
>Assuming we want to solve this problem, there are two solutions I can
>come up with:
>	* Allow anyone to su to root if gid 0 exists and has no
>	  members.  Since NetBSD ships with root explicitly belonging
>	  to group wheel, the default behavior will not change.

I prefer this solution.

>	  This is the most minimal change, but you could still imagine
>	  it screwing over some systems which happen to have empty
>	  group wheels (for whatever reason) and don't realize that in
>	  the new version of NetBSD, anyone can su to root.

I think the usual notification of current-users should be sufficient.
The change should also be documented in doc/CHANGES and the notes for
the next release.
Mike Long <>     <URL:>
VLSI Design Engineer         finger for PGP public key
Analog Devices, CPD Division          CCBF225E7D3F7ECB2C8F7ABB15D9BE7B
Norwood, MA 02062 USA       (eq (opinion 'ADI) (opinion 'mike)) -> nil