Subject: Re: su(1) group wheel restriction
To: None <tech-userlevel@NetBSD.ORG>
From: der Mouse <mouse@Holo.Rodents.Montreal.QC.CA>
List: tech-userlevel
Date: 01/10/1997 10:04:11
> It seems poor to me that the only way to configure a machine to allow
> arbitrary users to su to root is to give up having a name for group
> 0.

Well, su does have a configuration language; it's called C. :-)
[Personally, having the source is much of the reason I run NetBSD;
what's the point of having the source if you don't use it?]

But yes, I agree that this restriction is rather stupid.  There's no
reason an admin should have to hack su.c just to make what is in many
environments a perfectly reasonable administrative policy decision.

> * Allow anyone to su to root if gid 0 exists and has no members.

> * Create a new file in /etc (/etc/su.conf, whatever) which controls
>   who can su to root.

After reading of the other comments on the subject, at least the ones
which have made it to my mailbox :-), I think the first of these is
reasonable; perhaps even better is if the user list for group zero (or
perhaps group "wheel") contains the special name "*".  Perhaps if it
contains "*su", since there may be some reason to allow wildcards for
other purposes in the future.

Personally, I'm inclined to say the whole only-wheel-may-su-root thing
is a botch anyway, but it ain't gonna go away....

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B