Subject: Re: su(1) group wheel restriction
To: None <tech-userlevel@NetBSD.ORG>
From: der Mouse <mouse@Holo.Rodents.Montreal.QC.CA>
Date: 01/10/1997 10:04:11
> It seems poor to me that the only way to configure a machine to allow
> arbitrary users to su to root is to give up having a name for group
Well, su does have a configuration language; it's called C. :-)
[Personally, having the source is much of the reason I run NetBSD;
what's the point of having the source if you don't use it?]
But yes, I agree that this restriction is rather stupid. There's no
reason an admin should have to hack su.c just to make what is in many
environments a perfectly reasonable administrative policy decision.
> * Allow anyone to su to root if gid 0 exists and has no members.
> * Create a new file in /etc (/etc/su.conf, whatever) which controls
> who can su to root.
After reading of the other comments on the subject, at least the ones
which have made it to my mailbox :-), I think the first of these is
reasonable; perhaps even better is if the user list for group zero (or
perhaps group "wheel") contains the special name "*". Perhaps if it
contains "*su", since there may be some reason to allow wildcards for
other purposes in the future.
Personally, I'm inclined to say the whole only-wheel-may-su-root thing
is a botch anyway, but it ain't gonna go away....
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B