On Thu, 9 Jan 97 13:23:57 EST  Mike Long wrote:

> >Date: Thu, 9 Jan 1997 12:13:12 -0500 (EST)
> >From: Hacksaw <hacksaw@user1.channel1.com>
> >
> >>>Date: Thu, 9 Jan 1997 09:53:14 -0500
> >>>From: Greg Hudson <ghudson@mit.edu>
> 
> >>>	* Allow anyone to su to root if gid 0 exists and has no
> >>>	  members.  Since NetBSD ships with root explicitly belonging
> >>>	  to group wheel, the default behavior will not change.
> 
> >I think this is a bad solution, for the simple reason that I use wheel
> >as a "Power Users" group, so that those in the know can install into
> >/usr/local/ and whatnot. Since not much gets shipped as being owned by
> >group wheel, this affords fewer surprises for me the sys-admin.
> 
> It's easy enough to create and use another group for that; you don't
> need to use wheel.  That's the whole *point* of the group mechanism,
> to give various overlapping sets of users permission to do specific
> things.

Indeed, that's what we do here.  We have a "sugroup" check instead of a
gid 0 check in our production version of su.  For our sites that are
less concerned about security, we just don't define "sugroup" and
everything works as needed.

Simon.
--
Simon Burge						simonb@telstra.com.au
UNIX Support, CPR Project.				+61 3 9634 3974 (Phone)
Telstra Corporation, Melbourne, Australia.		+61 3 9670 1189 (Fax)