Subject: Re: su(1) group wheel restriction
To: Jason Thorpe <email@example.com>
From: Luke Mewburn <firstname.lastname@example.org>
Date: 01/10/1997 11:28:50
Jason Thorpe writes:
> On Thu, 9 Jan 1997 09:53:14 -0500
> Greg Hudson <email@example.com> wrote:
> > * Create a new file in /etc (/etc/su.conf, whatever) which
> > controls who can su to root. If it doesn't exist, fall back
> > to the old check. If it does exist, it's, say, a list of
> > usernames, one per line, with the username "*" matching all
> > users.
> > Comments?
> I like this... (BTW, I'd also like it to support netgroups, too... like,
> @super-users, for example...) I'd also like the ability for /etc/su.conf
> to come in the form of a YP map (activated with a "+" entry in the
> Real File).
[Warning: thread diversion alert!]
If this is done, I hope we don't use that crufty old '+' syntax. It
should only be used for passwd/group compat reasons...
If you want data to be sourced from files, yp, dns, whatever, then we
should just use the nsswitch(*) library I've written. All you'd do
is add an entry to /etc/nsswitch.conf of the form:
su: yp files
Note that if the 'su' entry is non-existant, nsswitch will default to
That's the advantage of writing a generic nsdispatch() function. You
can write clients for anything you like... :-)
(*) Before you ask: I'm waiting on some modifications to come back
from J.T. before I merge nsswitch into the mainline libc...