Subject: su(1) group wheel restriction
To: Greg Hudson <ghudson@mit.edu>
From: David Gilbert <dgilbert@jaywon.pci.on.ca>
List: tech-userlevel
Date: 01/09/1997 11:40:55
>>>>> "Greg" == Greg Hudson <ghudson@mit.edu> writes:

Greg> So, one of the long-standing problems we've had with NetBSD at
Greg> MIT is that in general, we'd like anyone who knows the root
Greg> password of a machine to be able to su to root.  su(1) lets
Greg> anyone su to root only if getgrent(0) fails.  (Looking at the
Greg> man page, it's not totally clear to me that this is really
Greg> "supported" behavior, but it's what the code does.)

Greg> 	* Allow anyone to su to root if gid 0 exists and has no
Greg> members.  Since NetBSD ships with root explicitly belonging to
Greg> group wheel, the default behavior will not change.

Greg> 	* Create a new file in /etc (/etc/su.conf, whatever) which
Greg> controls who can su to root.  If it doesn't exist, fall back to
Greg> the old check.  If it does exist, it's, say, a list of
Greg> usernames, one per line, with the username "*" matching all
Greg> users.

	I would definately prefer the former.  I can't see a lot of
function being put into an su.conf.  It would then be another file
that clutters /etc.  However, I could see us generating a login.conf
--- somewhat like what BSDI does.  You could easily put extra su
functionality in there.

Dave.

-- 
============================================================================
|David Gilbert, PCI, Richmond Hill, Ontario.  | Two things can only be     |
|Mail:      dgilbert@jaywon.pci.on.ca         |  equal if and only if they |
|http://www.pci.on.ca/~dgilbert               |   are precisely opposite.  |
=========================================================GLO================