Subject: Re: su(1) group wheel restriction
To: Mike Long <>
From: Curt Sampson <>
List: tech-userlevel
Date: 01/09/1997 09:20:50
On Thu, 9 Jan 1997, Mike Long wrote:

> >	* Allow anyone to su to root if gid 0 exists and has no
> >	  members.  Since NetBSD ships with root explicitly belonging
> >	  to group wheel, the default behavior will not change.
> I prefer this solution.

I think we've been through this before, and I still don't like it
for the same reason. If you're going to have a way of making things
less secure, it should preferably be something quite explicit that
is easily extrapolated from current behaviour, and that makes it
fairly obvious that some security has been removed. This doesn't
really do it for me.

Why not just modify su to check the wheel entry in the group map
or the /etc/group file and look to see if the content is just `*'?


Curt Sampson		Info at
Internet Portal Services, Inc.	
Vancouver, BC   (604) 257-9400		De gustibus, aut bene aut nihil.